Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1561631
MD5:	163c161c40d81abcf7762b5fe1e069f9
SHA1:	69abfd5ffb416aba8ec059fd0b10b90a15f1d6e2
SHA256:	e18eabddf7ffd031c8d469f61ef79a69c7ed5fc4c0b0b083f352306c19a53b1d
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to detect virtual machines (SGDT)

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 7260 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 163C161C40D81ABCF7762B5FE1E069F9)

taskkill.exe (PID: 7276 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7480 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7552 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7652 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7748 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 7964 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 8028 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 8048 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 4348 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2280 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2224 -prefsLen 25302 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0fa56352-fd4b-4b7f-b423-9a0248dfdb3b} 8048 "\\.\pipe\gecko-crash-server-pipe.8048" 25ae3f70510 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 8040 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4316 -parentBuildID 20230927232528 -prefsHandle 3496 -prefMapHandle 4280 -prefsLen 26317 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed71bddf-fccd-47e2-b4c7-74e3184e403d} 8048 "\\.\pipe\gecko-crash-server-pipe.8048" 25af417da10 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 6828 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5424 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5136 -prefMapHandle 5132 -prefsLen 33202 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5dca1960-02c8-4c81-b349-e484fc3aaec9} 8048 "\\.\pipe\gecko-crash-server-pipe.8048" 25afd726710 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000003.1248320440.0000000000BA4000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security
Process Memory Space: file.exe PID: 7260	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_0107EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0107EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0107ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0107ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_0107EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0106AB9C GetKeyState,GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0106AB9C

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_01099576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_01099576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_8ccb1bea-1
Source: file.exe, 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_779f51b8-3
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_399ad6c5-a
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_1e3b05e3-b

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 24_2_0000020C64728D77 NtQuerySystemInformation,		24_2_0000020C64728D77
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 24_2_0000020C64744A72 NtQuerySystemInformation,		24_2_0000020C64744A72

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0106D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0106D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_01061201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_01061201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0106E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0106E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01072046	0_2_01072046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01008060	0_2_01008060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01068298	0_2_01068298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0103E4FF	0_2_0103E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0103676B	0_2_0103676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01094873	0_2_01094873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0102CAA0	0_2_0102CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0100CAF0	0_2_0100CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01036DD9	0_2_01036DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0101CC39	0_2_0101CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0101B119	0_2_0101B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010091C0	0_2_010091C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01021394	0_2_01021394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01021706	0_2_01021706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01007920	0_2_01007920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0101997D	0_2_0101997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010219B0	0_2_010219B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0102781B	0_2_0102781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01027A4A	0_2_01027A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01021C77	0_2_01021C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01027CA7	0_2_01027CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01021F32	0_2_01021F32
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0108BE44	0_2_0108BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01039EEE	0_2_01039EEE
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 24_2_0000020C64728D77	24_2_0000020C64728D77
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 24_2_0000020C64744A72	24_2_0000020C64744A72
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 24_2_0000020C6474519C	24_2_0000020C6474519C
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 24_2_0000020C64744AB2	24_2_0000020C64744AB2

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0101F9F2 appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 01020A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 01009CB3 appears 31 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/34@67/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_010737B5 GetLastError,FormatMessageW,

0_2_010737B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010610BF AdjustTokenPrivileges,CloseHandle,		0_2_010610BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010616C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_010616C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_010751CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_010751CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0106D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0106D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0107648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0107648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_010042A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_010042A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7568:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7768:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7496:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7284:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7660:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user~1\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 00000013.00000003.1457925809.0000025AFD981000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 00000013.00000003.1457925809.0000025AFD981000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 00000013.00000003.1457925809.0000025AFD981000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 00000013.00000003.1457925809.0000025AFD981000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 00000013.00000003.1497315555.0000025AF5272000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;
Source: firefox.exe, 00000013.00000003.1457925809.0000025AFD981000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 00000013.00000003.1457925809.0000025AFD981000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 00000013.00000003.1457925809.0000025AFD981000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 00000013.00000003.1457925809.0000025AFD981000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 00000013.00000003.1457925809.0000025AFD981000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: file.exe

Virustotal: Detection: 34%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2280 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2224 -prefsLen 25302 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0fa56352-fd4b-4b7f-b423-9a0248dfdb3b} 8048 "\\.\pipe\gecko-crash-server-pipe.8048" 25ae3f70510 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4316 -parentBuildID 20230927232528 -prefsHandle 3496 -prefMapHandle 4280 -prefsLen 26317 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed71bddf-fccd-47e2-b4c7-74e3184e403d} 8048 "\\.\pipe\gecko-crash-server-pipe.8048" 25af417da10 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5424 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5136 -prefMapHandle 5132 -prefsLen 33202 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5dca1960-02c8-4c81-b349-e484fc3aaec9} 8048 "\\.\pipe\gecko-crash-server-pipe.8048" 25afd726710 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2280 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2224 -prefsLen 25302 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0fa56352-fd4b-4b7f-b423-9a0248dfdb3b} 8048 "\\.\pipe\gecko-crash-server-pipe.8048" 25ae3f70510 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4316 -parentBuildID 20230927232528 -prefsHandle 3496 -prefMapHandle 4280 -prefsLen 26317 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed71bddf-fccd-47e2-b4c7-74e3184e403d} 8048 "\\.\pipe\gecko-crash-server-pipe.8048" 25af417da10 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5424 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5136 -prefMapHandle 5132 -prefsLen 33202 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5dca1960-02c8-4c81-b349-e484fc3aaec9} 8048 "\\.\pipe\gecko-crash-server-pipe.8048" 25afd726710 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: UxTheme.pdb source: firefox.exe, 00000013.00000003.1500590679.0000025AF488C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: UMPDC.pdb source: firefox.exe, 00000013.00000003.1497713803.0000025AF5235000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wininet.pdb source: firefox.exe, 00000013.00000003.1497713803.0000025AF5235000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: rsaenh.pdb source: firefox.exe, 00000013.00000003.1497713803.0000025AF5235000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: xWindows.Security.Integrity.pdb source: firefox.exe, 00000013.00000003.1490683266.0000025AF52EE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: winsta.pdb source: firefox.exe, 00000013.00000003.1498210343.0000025AF4F7C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdb source: firefox.exe, 00000013.00000003.1499264640.0000025AF4DDC000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdb source: firefox.exe, 00000013.00000003.1499264640.0000025AF4DDC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1499315010.0000025AF4D71000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: WscApi.pdb source: firefox.exe, 00000013.00000003.1497713803.0000025AF5235000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ktmw32.pdb source: firefox.exe, 00000013.00000003.1500590679.0000025AF488C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: npmproxy.pdbUGP source: firefox.exe, 00000013.00000003.1509889976.0000025AF173A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdb source: firefox.exe, 00000013.00000003.1507228251.0000025AF173A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1499869277.0000025AF4D5D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: xWindows.StateRepositoryPS.pdb source: firefox.exe, 00000013.00000003.1490683266.0000025AF52EE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: firefox.exe, 00000013.00000003.1497368337.0000025AF525C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: xOneCoreUAPCommonProxyStub.pdb source: firefox.exe, 00000013.00000003.1490152403.0000025AF545C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: webauthn.pdbGCTL source: firefox.exe, 00000013.00000003.1506345384.0000025B0245D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: xul.pdb source: firefox.exe, 00000013.00000003.1500590679.0000025AF488C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: nssckbi.pdb source: firefox.exe, 00000013.00000003.1497713803.0000025AF5235000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: shcore.pdb source: firefox.exe, 00000013.00000003.1500590679.0000025AF488C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dbgcore.pdbP4 source: firefox.exe, 00000013.00000003.1500003178.0000025AF48DD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dcomp.pdb source: firefox.exe, 00000013.00000003.1498210343.0000025AF4F7C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: cryptsp.pdb source: firefox.exe, 00000013.00000003.1497713803.0000025AF5235000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: sspicli.pdb source: firefox.exe, 00000013.00000003.1497713803.0000025AF5235000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: shell32.pdb source: firefox.exe, 00000013.00000003.1500590679.0000025AF488C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: firefox.exe, 00000013.00000003.1497368337.0000025AF525C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ntmarta.pdb source: firefox.exe, 00000013.00000003.1500590679.0000025AF488C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: urlmon.pdb source: firefox.exe, 00000013.00000003.1497713803.0000025AF5235000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: firefox.exe, 00000013.00000003.1497368337.0000025AF525C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdbUGP source: firefox.exe, 00000013.00000003.1507228251.0000025AF173A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: version.pdbstate-dd-Disabled source: firefox.exe, 00000013.00000003.1500003178.0000025AF48B6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: userenv.pdb source: firefox.exe, 00000013.00000003.1498210343.0000025AF4F7C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: shlwapi.pdb source: firefox.exe, 00000013.00000003.1500590679.0000025AF488C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: nlaapi.pdb source: firefox.exe, 00000013.00000003.1499264640.0000025AF4DDC000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: winhttp.pdb source: firefox.exe, 00000013.00000003.1497713803.0000025AF5235000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdb source: firefox.exe, 00000013.00000003.1505456727.0000025AF173A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msimg32.pdb source: firefox.exe, 00000013.00000003.1497713803.0000025AF5235000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: firefox.exe, 00000013.00000003.1497368337.0000025AF525C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ntasn1.pdb source: firefox.exe, 00000013.00000003.1497713803.0000025AF5235000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: devobj.pdb source: firefox.exe, 00000013.00000003.1498642244.0000025AF4EED000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: win32u.pdb source: firefox.exe, 00000013.00000003.1500590679.0000025AF487D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: d3d11.pdb source: firefox.exe, 00000013.00000003.1498210343.0000025AF4F7C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdbUGP source: firefox.exe, 00000013.00000003.1505456727.0000025AF173A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dwmapi.pdb source: firefox.exe, 00000013.00000003.1498210343.0000025AF4F7C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dbghelp.pdb source: firefox.exe, 00000013.00000003.1500003178.0000025AF48DD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: srvcli.pdb source: firefox.exe, 00000013.00000003.1497713803.0000025AF5235000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: imm32.pdb source: firefox.exe, 00000013.00000003.1500590679.0000025AF488C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: freebl3.pdb source: firefox.exe, 00000013.00000003.1497713803.0000025AF5235000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: webauthn.pdb source: firefox.exe, 00000013.00000003.1506345384.0000025B0245D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: profapi.pdb source: firefox.exe, 00000013.00000003.1500003178.0000025AF48DD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: gdi32.pdb source: firefox.exe, 00000013.00000003.1500590679.0000025AF487D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ws2_32.pdb source: firefox.exe, 00000013.00000003.1500590679.0000025AF488C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: avrt.pdb source: firefox.exe, 00000013.00000003.1497713803.0000025AF5235000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: WLDP.pdb source: firefox.exe, 00000013.00000003.1500590679.0000025AF488C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: propsys.pdb source: firefox.exe, 00000013.00000003.1500003178.0000025AF48B6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.19.dr
Source:	Binary string: winmm.pdb source: firefox.exe, 00000013.00000003.1500003178.0000025AF48DD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: npmproxy.pdb source: firefox.exe, 00000013.00000003.1509889976.0000025AF173A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: firefox.exe, 00000013.00000003.1498070391.0000025AF4FB6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: msctf.pdb source: firefox.exe, 00000013.00000003.1498210343.0000025AF4F7C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: version.pdb source: firefox.exe, 00000013.00000003.1500003178.0000025AF48B6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ole32.pdb source: firefox.exe, 00000013.00000003.1500590679.0000025AF488C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dbgcore.pdb source: firefox.exe, 00000013.00000003.1500003178.0000025AF48DD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mscms.pdb source: firefox.exe, 00000013.00000003.1498210343.0000025AF4F7C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: twinapi.pdb source: firefox.exe, 00000013.00000003.1498642244.0000025AF4EED000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: msasn1.pdb source: firefox.exe, 00000013.00000003.1500003178.0000025AF48B6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.19.dr
Source:	Binary string: psapi.pdb source: firefox.exe, 00000013.00000003.1500003178.0000025AF48DD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1500003178.0000025AF48B6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: DWrite.pdb source: firefox.exe, 00000013.00000003.1500003178.0000025AF48DD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: combase.pdb source: firefox.exe, 00000013.00000003.1500590679.0000025AF488C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: freebl3.pdbX-Telemetry-Agent source: firefox.exe, 00000013.00000003.1497713803.0000025AF5235000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: msimg32.pdbUrlClassifierStreamUpdater source: firefox.exe, 00000013.00000003.1497713803.0000025AF5235000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dxgi.pdb source: firefox.exe, 00000013.00000003.1498210343.0000025AF4F7C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ncrypt.pdb source: firefox.exe, 00000013.00000003.1497713803.0000025AF5235000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb source: firefox.exe, 00000013.00000003.1500590679.0000025AF488C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wsock32.pdb source: firefox.exe, 00000013.00000003.1500590679.0000025AF488C000.00000004.00000800.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_010042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_010042DE

Source: gmpopenh264.dll.tmp.19.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_01020A76 push ecx; ret

0_2_01020A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0101F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0101F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01091C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_01091C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-96628

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 24_2_0000020C64728D77 rdtsc

24_2_0000020C64728D77

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_01011199 sgdt fword ptr [ecx]

0_2_01011199

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.5 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0106DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0106DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0103C2A2 FindFirstFileExW,	0_2_0103C2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0107698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0107698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010768EE FindFirstFileW,FindClose,	0_2_010768EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0106D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0106D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0106D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0106D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0107979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0107979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01079642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_01079642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01079B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_01079B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01075C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_01075C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_010042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_010042DE

Source: firefox.exe, 00000015.00000002.2514513454.000001B80DC00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWr
Source: firefox.exe, 00000015.00000002.2508642616.000001B80D60A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2513971349.0000020C64BF0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2507876945.0000020C6443A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2507970273.00000223AEA8A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 00000015.00000002.2513972398.000001B80DB19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 0000001A.00000002.2510185838.00000223AEBA0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWjw+
Source: firefox.exe, 00000015.00000002.2514513454.000001B80DC00000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2513971349.0000020C64BF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 24_2_0000020C64728D77 rdtsc

24_2_0000020C64728D77

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0107EAA2 BlockInput,

0_2_0107EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_01032622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_01032622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_010042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_010042DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_01024CE8 mov eax, dword ptr fs:[00000030h]

0_2_01024CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_01060B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_01060B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01032622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_01032622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010209D5 SetUnhandledExceptionFilter,	0_2_010209D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0102083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0102083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01020C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_01020C21

Source: C:\Users\user\Desktop\file.exe

0_2_01061201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_01042BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_01042BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0106B226 SendInput,keybd_event,

0_2_0106B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0106E355 mouse_event,

0_2_0106E355

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_01060B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_01061663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_01061663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd
Source: firefox.exe, 00000013.00000003.1468210243.0000025B02401000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hSoftware\Policies\Microsoft\Windows\PersonalizationNoChangingStartMenuBackgroundPersonalColors_BackgroundWilStaging_02RtlDisownModuleHeapAllocationRtlQueryFeatureConfigurationRtlRegisterFeatureConfigurationChangeNotificationRtlSubscribeWnfStateChangeNotificationRtlDllShutdownInProgressntdll.dllNtQueryWnfStateDataLocal\SM0:%d:%d:%hs_p0Local\SessionImmersiveColorPreferenceBEGINTHMthmfile\Sessions\%d\Windows\ThemeSectionMessageWindowendthemewndThemeApiConnectionRequest\ThemeApiPortwinsta0SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\PersonalizeAppsUseLightThemeSystemUsesLightThemedefaultshell\themes\uxtheme\render.cppCompositedWindow::WindowdeletedrcacheMDIClientSoftware\Microsoft\Windows\DWMColorPrevalenceSoftware\Microsoft\Windows\CurrentVersion\ImmersiveShellTabletModeMENUAccentColorSoftware\Microsoft\Windows\CurrentVersion\Explorer\AccentDefaultStartColorControl Panel\DesktopAutoColorizationAccentColorMenuStartColorMenuAutoColorSoftware\Microsoft\Windows\CurrentVersion\Themes\History\ColorsSoftware\Microsoft\Windows\CurrentVersion\Themes\HistoryAccentPaletteTab$Shell_TrayWndLocal\SessionImmersiveColorMutex

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_01020698 cpuid

0_2_01020698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_01078195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_01078195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0105D27A GetUserNameW,

0_2_0105D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0103B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_0103B952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_010042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_010042DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match	File source: 00000000.00000003.1248320440.0000000000BA4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7260, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match	File source: 00000000.00000003.1248320440.0000000000BA4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7260, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01081204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_01081204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01081806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_01081806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	11 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	35%	Virustotal		Browse
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	Virustotal	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	Virustotal	Browse

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	high
star-mini.c10r.facebook.com	157.240.196.35	true	false	high
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	high
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	high
twitter.com	104.244.42.65	true	false	high
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	high
services.addons.mozilla.org	151.101.129.91	true	false	high
dyna.wikimedia.org	185.15.58.224	true	false	high
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	high
contile.services.mozilla.com	34.117.188.166	true	false	high
youtube.com	142.250.181.78	true	false	high
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	high
youtube-ui.l.google.com	172.217.19.14	true	false	high
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	high
reddit.map.fastly.net	151.101.1.140	true	false	high
ipv4only.arpa	192.0.0.171	true	false	high
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	high
push.services.mozilla.com	34.107.243.93	true	false	high
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	high
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	high
www.reddit.com	unknown	unknown	false	high
spocs.getpocket.com	unknown	unknown	false	high
content-signature-2.cdn.mozilla.net	unknown	unknown	false	high
support.mozilla.org	unknown	unknown	false	high
firefox.settings.services.mozilla.com	unknown	unknown	false	high
www.youtube.com	unknown	unknown	false	high
www.facebook.com	unknown	unknown	false	high
detectportal.firefox.com	unknown	unknown	false	high
normandy.cdn.mozilla.net	unknown	unknown	false	high
shavar.services.mozilla.com	unknown	unknown	false	high
www.wikipedia.org	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 00000015.00000002.2513726267.000001B80DA30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2509101216.0000020C644A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2510535404.00000223AECB0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 0000001A.00000002.2510940318.00000223AEEC4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://detectportal.firefox.com/	firefox.exe, 00000013.00000003.1519879875.0000025AF715F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 00000015.00000002.2513726267.000001B80DA30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2509101216.0000020C644A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2510535404.00000223AECB0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://datastudio.google.com/embed/reporting/	firefox.exe, 00000013.00000003.1371324691.0000025B01D46000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1490683266.0000025AF52EE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.mozilla.com0	gmpopenh264.dll.tmp.19.dr	false	high
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000018.00000002.2509914646.0000020C64686000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2510940318.00000223AEE8F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 00000015.00000002.2513726267.000001B80DA30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2509101216.0000020C644A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2510535404.00000223AECB0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://spocs.getpocket.com/spocs	firefox.exe, 00000013.00000003.1347064504.0000025AFBFFA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1491097283.0000025AF529D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://screenshots.firefox.com	firefox.exe, 00000013.00000003.1294985855.0000025AF2478000.00000004.00000800.00020000.00000000.sdmp	false	high
https://shavar.services.mozilla.com	firefox.exe, 00000013.00000003.1448326833.0000025AFBC25000.00000004.00000800.00020000.00000000.sdmp	false	high
https://completion.amazon.com/search/complete?q=	firefox.exe, 00000013.00000003.1301454404.0000025AF3B7F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1300113759.0000025AF3B21000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1299741603.0000025AF3900000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1300355238.0000025AF3B40000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1300491471.0000025AF3B60000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 00000015.00000002.2513726267.000001B80DA30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2509101216.0000020C644A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2510535404.00000223AECB0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 00000013.00000003.1457925809.0000025AFD981000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 00000015.00000002.2513726267.000001B80DA30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2509101216.0000020C644A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2510535404.00000223AECB0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/breach-details/	firefox.exe, 00000015.00000002.2513726267.000001B80DA30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2509101216.0000020C644A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2510535404.00000223AECB0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://github.com/w3c/csswg-drafts/issues/4650	firefox.exe, 00000013.00000003.1478871180.0000025AFBE2D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 00000015.00000002.2513726267.000001B80DA30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2509101216.0000020C644A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2510535404.00000223AECB0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://xhr.spec.whatwg.org/#sync-warning	firefox.exe, 00000013.00000003.1479514243.0000025AFBC38000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1448326833.0000025AFBC2D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 00000013.00000003.1301454404.0000025AF3B7F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1300113759.0000025AF3B21000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1299741603.0000025AF3900000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1434632218.0000025AF638A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1300355238.0000025AF3B40000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1498833023.0000025AF4E9F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1349401781.0000025AF4D93000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1491097283.0000025AF529D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1300491471.0000025AF3B60000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.msn.com	firefox.exe, 00000013.00000003.1482659163.0000025AF708B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/mozilla-services/screenshots	firefox.exe, 00000013.00000003.1300113759.0000025AF3B21000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1299741603.0000025AF3900000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1300355238.0000025AF3B40000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1300491471.0000025AF3B60000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 00000015.00000002.2513726267.000001B80DA30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2509101216.0000020C644A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2510535404.00000223AECB0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 00000015.00000002.2513726267.000001B80DA30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2509101216.0000020C644A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2510535404.00000223AECB0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 00000015.00000002.2513726267.000001B80DA30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2509101216.0000020C644A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2510535404.00000223AECB0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://youtube.com/	firefox.exe, 00000013.00000003.1472436336.0000025B001DB000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.S3DiLP_FhcLK	firefox.exe, 00000013.00000003.1498833023.0000025AF4EA9000.00000004.00000800.00020000.00000000.sdmp	false	high
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	firefox.exe, 00000013.00000003.1492032432.0000025AFD7E2000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.instagram.com/	firefox.exe, 00000013.00000003.1431823502.0000025B01D93000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1396656036.0000025B01D93000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1404891156.0000025B01D93000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1370082085.0000025B01D95000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1368109510.0000025B01D93000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1368905655.0000025B01D93000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 00000015.00000002.2513726267.000001B80DA30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2509101216.0000020C644A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2510535404.00000223AECB0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://api.accounts.firefox.com/v1	firefox.exe, 00000015.00000002.2513726267.000001B80DA30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2509101216.0000020C644A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2510535404.00000223AECB0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://ok.ru/	firefox.exe, 00000013.00000003.1348840959.0000025AF5E7A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1495169379.0000025AF5E7A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.amazon.com/	firefox.exe, 00000013.00000003.1448326833.0000025AFBC25000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 00000015.00000002.2513726267.000001B80DA30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2509101216.0000020C644A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2510535404.00000223AECB0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://fpn.firefox.com	firefox.exe, 00000013.00000003.1295240368.0000025AF2420000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 00000015.00000002.2513726267.000001B80DA30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2509101216.0000020C644A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2510535404.00000223AECB0000.00000002.10000000.00040000.00000000.sdmp	false	high
http://ocsp.rootca1.amazontrust.com0:	firefox.exe, 00000013.00000003.1488513308.0000025AF5787000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.youtube.com/	firefox.exe, 00000018.00000002.2509914646.0000020C64603000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2510940318.00000223AEE0C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 00000013.00000003.1399691280.0000025AF4C65000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1399065912.0000025AF4C1A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 00000015.00000002.2513726267.000001B80DA30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2509101216.0000020C644A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2510535404.00000223AECB0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 00000013.00000003.1492152880.0000025AFD793000.00000004.00000800.00020000.00000000.sdmp	false	high
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 0000001A.00000002.2510940318.00000223AEEC4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://127.0.0.1:	firefox.exe, 00000013.00000003.1486093073.0000025AF7B83000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1449773784.0000025AF7B83000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1480248979.0000025AF7B83000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2513726267.000001B80DA30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2509101216.0000020C644A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2510535404.00000223AECB0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 00000013.00000003.1399691280.0000025AF4C65000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1399065912.0000025AF4C1A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 00000013.00000003.1406655415.0000025AF53E1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1435550353.0000025AF53E1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mo	firefox.exe, 00000013.00000003.1473281511.0000025AFD754000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mitmdetection.services.mozilla.com/	firefox.exe, 00000015.00000002.2513726267.000001B80DA30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2509101216.0000020C644A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2510535404.00000223AECB0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://youtube.com/account?=	recovery.jsonlz4.tmp.19.dr	false	high
https://shavar.services.mozilla.com/	firefox.exe, 00000013.00000003.1500400052.0000025AF48A3000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg	firefox.exe, 00000015.00000002.2510562104.000001B80D9B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2509914646.0000020C646F3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2514216130.00000223AEF03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.19.dr	false	high
https://spocs.getpocket.com/	firefox.exe, 0000001A.00000002.2510940318.00000223AEE13000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 00000015.00000002.2513726267.000001B80DA30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2509101216.0000020C644A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2510535404.00000223AECB0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 00000015.00000002.2513726267.000001B80DA30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2509101216.0000020C644A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2510535404.00000223AECB0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 00000015.00000002.2513726267.000001B80DA30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2509101216.0000020C644A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2510535404.00000223AECB0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.iqiyi.com/	firefox.exe, 00000013.00000003.1348840959.0000025AF5E7A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1495169379.0000025AF5E7A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 00000015.00000002.2513726267.000001B80DA30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2509101216.0000020C644A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2510535404.00000223AECB0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 00000015.00000002.2513726267.000001B80DA30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2509101216.0000020C644A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2510535404.00000223AECB0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 00000015.00000002.2513726267.000001B80DA30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2509101216.0000020C644A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2510535404.00000223AECB0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 00000013.00000003.1478871180.0000025AFBE2D000.00000004.00000800.00020000.00000000.sdmp	false	high
http://a9.com/-/spec/opensearch/1.0/	firefox.exe, 00000013.00000003.1474185936.0000025AFC375000.00000004.00000800.00020000.00000000.sdmp	false	high
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 00000015.00000002.2513726267.000001B80DA30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2509101216.0000020C644A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2510535404.00000223AECB0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/user/dashboard	firefox.exe, 00000015.00000002.2513726267.000001B80DA30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2509101216.0000020C644A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2510535404.00000223AECB0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1170143	firefox.exe, 00000013.00000003.1399065912.0000025AF4C0B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 00000015.00000002.2513726267.000001B80DA30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2509101216.0000020C644A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2510535404.00000223AECB0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/about	firefox.exe, 00000015.00000002.2513726267.000001B80DA30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2509101216.0000020C644A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2510535404.00000223AECB0000.00000002.10000000.00040000.00000000.sdmp	false	high
http://mozilla.org/MPL/2.0/.	firefox.exe, 00000013.00000003.1367423745.0000025AF4BC3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1318137514.0000025AF4BE3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1441731858.0000025AF3F78000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1483139076.0000025AF7068000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1407403466.0000025AF53D8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1432834746.0000025B01DA6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1425746025.0000025AFBD9E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1370082085.0000025B01DA1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1455907027.0000025AF56E5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1462665917.0000025AF4BF5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1479375640.0000025AFBC67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1406221339.0000025AF53EC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1419287100.0000025AF6353000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1481577954.0000025AF712E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1407945098.0000025AF55E4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1404891156.0000025B01D9F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1469292347.0000025AF3F98000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1429510788.0000025AF4BF5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1483400042.0000025AF7044000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1316056641.0000025AF4BF9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1371324691.0000025B01D5F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://account.bellmedia.c	firefox.exe, 00000013.00000003.1482659163.0000025AF708B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://login.microsoftonline.com	firefox.exe, 00000013.00000003.1482659163.0000025AF708B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://coverage.mozilla.org	firefox.exe, 00000015.00000002.2513726267.000001B80DA30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2509101216.0000020C644A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2510535404.00000223AECB0000.00000002.10000000.00040000.00000000.sdmp	false	high
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.19.dr	false	high
https://www.zhihu.com/	firefox.exe, 00000013.00000003.1485863072.0000025AFBCAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1348840959.0000025AF5E7A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1495169379.0000025AF5E7A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1347164806.0000025AFBCA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1479245287.0000025AFBCA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1448326833.0000025AFBC9E000.00000004.00000800.00020000.00000000.sdmp	false	high
http://x1.c.lencr.org/0	firefox.exe, 00000013.00000003.1491554935.0000025B00996000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1488513308.0000025AF5787000.00000004.00000800.00020000.00000000.sdmp	false	high
http://x1.i.lencr.org/0	firefox.exe, 00000013.00000003.1491554935.0000025B00996000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1488513308.0000025AF5787000.00000004.00000800.00020000.00000000.sdmp	false	high
http://a9.com/-/spec/opensearch/1.1/	firefox.exe, 00000013.00000003.1474185936.0000025AFC375000.00000004.00000800.00020000.00000000.sdmp	false	high
https://blocked.cdn.mozilla.net/	firefox.exe, 00000015.00000002.2513726267.000001B80DA30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2509101216.0000020C644A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2510535404.00000223AECB0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	firefox.exe, 00000013.00000003.1479514243.0000025AFBC38000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1448326833.0000025AFBC2D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://json-schema.org/draft/2019-09/schema	firefox.exe, 00000013.00000003.1499315010.0000025AF4DAF000.00000004.00000800.00020000.00000000.sdmp	false	high
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	firefox.exe, 00000013.00000003.1479514243.0000025AFBC38000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1448326833.0000025AFBC2D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://profiler.firefox.com	firefox.exe, 00000015.00000002.2513726267.000001B80DA30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2509101216.0000020C644A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2510535404.00000223AECB0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 00000013.00000003.1312315711.0000025AF3833000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1446541500.0000025AF3839000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=793869	firefox.exe, 00000013.00000003.1399065912.0000025AF4C0B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://identity.mozilla.com/apps/relay	firefox.exe, 00000013.00000003.1490056769.0000025AF5461000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 00000015.00000002.2513726267.000001B80DA30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2509101216.0000020C644A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2510535404.00000223AECB0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 00000013.00000003.1450430957.0000025AF714A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1494006013.0000025AF7152000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1481497356.0000025AF714A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 00000013.00000003.1399691280.0000025AF4C65000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1399065912.0000025AF4C0B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1399065912.0000025AF4C1A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 00000013.00000003.1312315711.0000025AF3833000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1446541500.0000025AF3839000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 00000013.00000003.1492152880.0000025AFD793000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 00000013.00000003.1485339651.0000025AFBF58000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1449830906.0000025AF7B72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2513726267.000001B80DA30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2509101216.0000020C644A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2510535404.00000223AECB0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	firefox.exe, 00000013.00000003.1520237634.0000025AF64B8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/user/preferences	firefox.exe, 00000015.00000002.2513726267.000001B80DA30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2509101216.0000020C644A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2510535404.00000223AECB0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://screenshots.firefox.com/	firefox.exe, 00000013.00000003.1300491471.0000025AF3B60000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.google.com/search	firefox.exe, 00000013.00000003.1301454404.0000025AF3B7F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1300113759.0000025AF3B21000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1299741603.0000025AF3900000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1434632218.0000025AF638A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1300355238.0000025AF3B40000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1498833023.0000025AF4E9F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1349401781.0000025AF4D93000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1498833023.0000025AF4EC3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1300491471.0000025AF3B60000.00000004.00000800.00020000.00000000.sdmp	false	high
https://gpuweb.github.io/gpuweb/	firefox.exe, 00000013.00000003.1478871180.0000025AFBE2D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://relay.firefox.com/api/v1/	firefox.exe, 00000015.00000002.2513726267.000001B80DA30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2509101216.0000020C644A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2510535404.00000223AECB0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696490019400400000.2&ci=1696490019252.	firefox.exe, 00000015.00000002.2510562104.000001B80D9B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2509914646.0000020C646F3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2514216130.00000223AEF03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.19.dr	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	firefox.exe, 00000015.00000002.2513726267.000001B80DA30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2509101216.0000020C644A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2510535404.00000223AECB0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://topsites.services.mozilla.com/cid/	firefox.exe, 00000015.00000002.2513726267.000001B80DA30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2509101216.0000020C644A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2510535404.00000223AECB0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://twitter.com/	firefox.exe, 00000013.00000003.1499264640.0000025AF4DDC000.00000004.00000800.00020000.00000000.sdmp	false	high
https://vk.com/	firefox.exe, 00000013.00000003.1348840959.0000025AF5E7A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1495169379.0000025AF5E7A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.olx.pl/	firefox.exe, 00000013.00000003.1485863072.0000025AFBCAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1347164806.0000025AFBCA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1479245287.0000025AFBCA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1448326833.0000025AFBC9E000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
151.101.129.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
142.250.181.78	youtube.com	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1561631
Start date and time:	2024-11-24 02:13:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	31
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/34@67/12
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 95% Number of executed functions: 40 Number of non-executed functions: 315
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 34.209.229.249, 52.12.64.98, 35.164.125.63, 172.217.17.74, 172.217.17.46, 88.221.134.209, 88.221.134.155
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, otelrules.azureedge.net, slscr.update.microsoft.com, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, time.windows.com, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
20:14:19	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	2fQ8fpTWAP.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.129.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	2fQ8fpTWAP.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	34.116.198.130
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.116.198.130
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
FASTLYUS	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	ZOL2mIYAUH.exe	Get hash	malicious	Phemedrone Stealer, PureLog Stealer, XWorm, zgRAT	Browse	185.199.109.133
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	2fQ8fpTWAP.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	2fQ8fpTWAP.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_b672e7be-f06e-420f-8837-2df4b1b7a82a.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7957
Entropy (8bit):	5.176530043160858
Encrypted:	false
SSDEEP:	192:N2MvMX02pcbhbVbTbfbRbObtbyEl7nAr+JA6unSrDtTkd/S9/:wFNcNhnzFSJgrd1nSrDhkd/c/
MD5:	DEA85DA9200E125C89C99ECCC754C832
SHA1:	4201988F81C3F3CB9B6C8A8B4D9EA36E2ADAF075
SHA-256:	C5B067FDCC568742610FCA5FB7D0C09FF83A88FF471246E7D32BFC9DBD590E6E
SHA-512:	66FB3C28DBCD4703F362CF11CEBA8D653329A54EB2D98AE1C4402A463094F3DD05C6734B67B2B4EFBBF203B2C3DB5253F29F7E5022BF7C0C3E1455FCFA52F3FC
Malicious:	false
Preview:	{"type":"uninstall","id":"b672e7be-f06e-420f-8837-2df4b1b7a82a","creationDate":"2024-11-24T02:50:06.665Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"a12d1cd1-4ce7-42ab-ae29-5c019c43f6ba","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_b672e7be-f06e-420f-8837-2df4b1b7a82a.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7957
Entropy (8bit):	5.176530043160858
Encrypted:	false
SSDEEP:	192:N2MvMX02pcbhbVbTbfbRbObtbyEl7nAr+JA6unSrDtTkd/S9/:wFNcNhnzFSJgrd1nSrDhkd/c/
MD5:	DEA85DA9200E125C89C99ECCC754C832
SHA1:	4201988F81C3F3CB9B6C8A8B4D9EA36E2ADAF075
SHA-256:	C5B067FDCC568742610FCA5FB7D0C09FF83A88FF471246E7D32BFC9DBD590E6E
SHA-512:	66FB3C28DBCD4703F362CF11CEBA8D653329A54EB2D98AE1C4402A463094F3DD05C6734B67B2B4EFBBF203B2C3DB5253F29F7E5022BF7C0C3E1455FCFA52F3FC
Malicious:	false
Preview:	{"type":"uninstall","id":"b672e7be-f06e-420f-8837-2df4b1b7a82a","creationDate":"2024-11-24T02:50:06.665Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"a12d1cd1-4ce7-42ab-ae29-5c019c43f6ba","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4514
Entropy (8bit):	4.941694702349281
Encrypted:	false
SSDEEP:	96:8S+OcaPUFqOdwNIOdvtkeQjvYZUBLCl2y8P:8S+Oc+UAOdwiOdKeQjDLCl2y8P
MD5:	62FC4AEEF089450CB432A8F5A26E69EE
SHA1:	483138C1F68349BF3E1B8FE8269730EBCC0B9BBA
SHA-256:	FD4323CFB3B7AAC68BA475B9A1A7A6F88750F97FB1921A1E069740F05F66EFBD
SHA-512:	F18DAC32938BC2E89FAD22100BB5866B3474418AC2A85A31900671EBA10883389992EE972B8D6619794EA7E3D59529D524D36AF3BA0E576FC01B4D382118E11F
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"d14ccc2f-033b-49c7-a2e0-d7a247e302f1","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-05T07:41:33.819Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"mixed-content-level-2-roll-out-release-113":{"slug":"mixed-content-level-2-roll-out-release-113","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4514
Entropy (8bit):	4.941694702349281
Encrypted:	false
SSDEEP:	96:8S+OcaPUFqOdwNIOdvtkeQjvYZUBLCl2y8P:8S+Oc+UAOdwiOdKeQjDLCl2y8P
MD5:	62FC4AEEF089450CB432A8F5A26E69EE
SHA1:	483138C1F68349BF3E1B8FE8269730EBCC0B9BBA
SHA-256:	FD4323CFB3B7AAC68BA475B9A1A7A6F88750F97FB1921A1E069740F05F66EFBD
SHA-512:	F18DAC32938BC2E89FAD22100BB5866B3474418AC2A85A31900671EBA10883389992EE972B8D6619794EA7E3D59529D524D36AF3BA0E576FC01B4D382118E11F
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"d14ccc2f-033b-49c7-a2e0-d7a247e302f1","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-05T07:41:33.819Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"mixed-content-level-2-roll-out-release-113":{"slug":"mixed-content-level-2-roll-out-release-113","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5318
Entropy (8bit):	6.62067557672702
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrwLUe:VTx2x2t0FDJ4NpwZMd0EJwLv
MD5:	A0DD0256A122A64D1C1A98C36F89F368
SHA1:	B82AF63B4A4261477DA4CD2AC34B4DD7BB5EBEA0
SHA-256:	EE9278644D02739D27E4FD9D8006AD49D9A0D80AD251BA2C3F144A408F65A9F3
SHA-512:	ED3AE377C1AD9E6694307CC60554665058541DD2BB80FEB1832616ACE39623E842DB3CD9153771ABD1874703DCBF4B81CABE050E2F2553D723A96A163AA41911
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5318
Entropy (8bit):	6.62067557672702
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrwLUe:VTx2x2t0FDJ4NpwZMd0EJwLv
MD5:	A0DD0256A122A64D1C1A98C36F89F368
SHA1:	B82AF63B4A4261477DA4CD2AC34B4DD7BB5EBEA0
SHA-256:	EE9278644D02739D27E4FD9D8006AD49D9A0D80AD251BA2C3F144A408F65A9F3
SHA-512:	ED3AE377C1AD9E6694307CC60554665058541DD2BB80FEB1832616ACE39623E842DB3CD9153771ABD1874703DCBF4B81CABE050E2F2553D723A96A163AA41911
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 4
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905141882491872
Encrypted:	false
SSDEEP:	24:DLSvwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:DKwae+QtMImelekKDa5
MD5:	8736A542C5564A922C47B19D9CC5E0F2
SHA1:	CE9D58967DA9B5356D6C1D8A482F9CE74DA9097A
SHA-256:	97CE5D8AFBB0AA610219C4FAC3927E32C91BFFD9FD971AF68C718E7B27E40077
SHA-512:	99777325893DC7A95FD49B2DA18D32D65F97CC7A8E482D78EDC32F63245457FA5A52750800C074D552D20B6A215604161FDC88763D93C76A8703470C3064196B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.186376962556299
Encrypted:	false
SSDEEP:	768:NI40vfXXQ4z6X4n44a4T4h4b4rhEhvj4Lw4m4x44g:NJhWvx
MD5:	C2A8F76D683C9F86054CA7775732A180
SHA1:	FB1F8B84825D53E58290E53D65F8A73C5794E281
SHA-256:	4744AACB03666A594CF1BB6E6491105F0AB600259D8E0BA483164F2AE9C90221
SHA-512:	F804B8CF7277D2F6E8AA8BDFFF099ECCEC00CE59FEB3F3EB47D5E4B36FBB2C23466233C966F53483F0DF365E13AB9BB9256B685645FC366A5A24C72907E54025
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{9f54712e-79e2-445b-974a-266a0185f206}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.186376962556299
Encrypted:	false
SSDEEP:	768:NI40vfXXQ4z6X4n44a4T4h4b4rhEhvj4Lw4m4x44g:NJhWvx
MD5:	C2A8F76D683C9F86054CA7775732A180
SHA1:	FB1F8B84825D53E58290E53D65F8A73C5794E281
SHA-256:	4744AACB03666A594CF1BB6E6491105F0AB600259D8E0BA483164F2AE9C90221
SHA-512:	F804B8CF7277D2F6E8AA8BDFFF099ECCEC00CE59FEB3F3EB47D5E4B36FBB2C23466233C966F53483F0DF365E13AB9BB9256B685645FC366A5A24C72907E54025
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{9f54712e-79e2-445b-974a-266a0185f206}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.0733167959846384
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zkiG:DLhesh7Owd4+ji
MD5:	5C4260671DC1819C5DF5C450403B8483
SHA1:	AFC68E2DAC344143C8CA8288428C3C2D594F7B5B
SHA-256:	636B6801C6AA2AAD6845B9D6C409D28B411C0214D81E5BF877910959B89559BE
SHA-512:	ED0A45BB8375E23F3FEF23060FA0AFFEE700309FE9D513DA23F6A5BBAF85BF1863394C2B623EF82572D6F0C24FBD2F52ED3FFD07B934707960EDC9AEC8432DB2
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.035577876577226504
Encrypted:	false
SSDEEP:	3:GtlstFTaytlBkJk23sPlstFTaytlBkJk23Tl/T89//alEl:GtWtgy+J/sWtgy+J/DlL89XuM
MD5:	2FE74FE2AD3785188D5359020E4B53BC
SHA1:	2FC7DD75673AFA592D7FDB072828AE23E40D8EC5
SHA-256:	9EDD0481BCF9596BF7294D815CD1B4EBCAC7D616B9A9F70E3F36B691EC79BD3A
SHA-512:	9620C12E1942744C30D57841AF78B74DC3FF49E1F8F15AB445A6F32FCC7AAE2EF367BCE97566CCC9A640287A046FFA91FF9BCEF6EAD4FF7CB75BB0CDF7477114
Malicious:	false
Preview:	..-..........................=:.j.-j.d......%\|..-..........................=:.j.-j.d......%\|........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.039775393174900406
Encrypted:	false
SSDEEP:	3:Ol1lYB/alN54FBX8lh7l8rEXsxdwhml8XW3R2:Kcy4gDl8dMhm93w
MD5:	A07777CA05ABDEF424F786CE82C77833
SHA1:	7E4C8C35FE3F4FC726AC1209698878E63BC7D6CE
SHA-256:	BF76174B320C764383258CB38E3214DB40A9F54F5FD549A7D24834B2165E7F3C
SHA-512:	18B702A25AE8FC95F8A019650FA1B42DF82E657D49946C9A0FD9845CEBC64D8CFA6D7E153D336D143E144D63CAE61D7004A50B55389222567F3D2D99F7BBE95F
Malicious:	false
Preview:	7....-...........j.-j.dg.m............j.-j.d....:=.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1769), with CRLF line terminators
Category:	dropped
Size (bytes):	13214
Entropy (8bit):	5.478123996303423
Encrypted:	false
SSDEEP:	192:lAnSRkyYbBp6GqUCaXL6VoLNmeF5RHNBw8dMnSl:DeBqUWOxXPwt0
MD5:	C326C203EF87C0B55594AE68E659086C
SHA1:	DA4487462851C9288793DC981E8E299B4DE31983
SHA-256:	5C54206F7AF27C9AE07F8D488ADAFD44A045CABE638F2018A278D0DF10F1F9E1
SHA-512:	B359C5790D9CA1B7BCC8E43D4A5AB53DBF0451600802BA86766964C3F6CCD2FFEFECE2293A56A62A72D6FA9089F988F67A5820F460B224D3234B10D2E8DAFC95
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "27fb6245-bd08-4de6-8f4d-2ece3f597752");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1732416577);..user_pref("app.update.lastUpdateTime.background-update-timer", 1732416577);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1732416577);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173241

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1769), with CRLF line terminators
Category:	dropped
Size (bytes):	13214
Entropy (8bit):	5.478123996303423
Encrypted:	false
SSDEEP:	192:lAnSRkyYbBp6GqUCaXL6VoLNmeF5RHNBw8dMnSl:DeBqUWOxXPwt0
MD5:	C326C203EF87C0B55594AE68E659086C
SHA1:	DA4487462851C9288793DC981E8E299B4DE31983
SHA-256:	5C54206F7AF27C9AE07F8D488ADAFD44A045CABE638F2018A278D0DF10F1F9E1
SHA-512:	B359C5790D9CA1B7BCC8E43D4A5AB53DBF0451600802BA86766964C3F6CCD2FFEFECE2293A56A62A72D6FA9089F988F67A5820F460B224D3234B10D2E8DAFC95
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "27fb6245-bd08-4de6-8f4d-2ece3f597752");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1732416577);..user_pref("app.update.lastUpdateTime.background-update-timer", 1732416577);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1732416577);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173241

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	3:lSGBl/l/zl9l/AltllPltlnKollzvulJOlzALRWemFxu7TuRjBFbrl58lcV+wgn8:ltBl/lqN1K4BEJYqWvLue3FMOrMZ0l
MD5:	60C09456D6362C6FBED48C69AA342C3C
SHA1:	58B6E22DAA48C75958B429F662DEC1C011AE74D3
SHA-256:	FE1A432A2CD096B7EEA870D46D07F5197E34B4D10666E6E1C357FAA3F2FE2389
SHA-512:	936DBC887276EF07732783B50EAFE450A8598B0492B8F6C838B337EF3E8A6EA595E7C7A2FA4B3E881887FAAE2D207B953A4C65ED8C964D93118E00D3E03882BD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1566
Entropy (8bit):	6.333645041775045
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSmGtLXnIgm/pnxQwRlszT5sKhia3eHVVPNZTo4amhuj3pOOcUb2mi7:GUpOx+GnR653etZTo445edHd
MD5:	E0D4B19F831D99C8BB96EDC487579773
SHA1:	B122A0845DA3AC6F5FC27EA1DBAAA75DE12F7D66
SHA-256:	BB182E2ABB8B812BE3E1715F1BC8C7234FFEB2A6AF7121BF9529B424BB2EF202
SHA-512:	139F1E5287883D332E36356C53101D1E0FAB8A804201FB2C68F473FAF20B3770B3287B9B69B58851EAA71D4CBB4362C7BF4A809F431C7E812C44FA9219264178
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{f2a203b2-e484-488d-b46c-4a5247da4fa6}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1732416583423,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...4b3ac14b-43e5-4896-86e8-9e7d502ce1b5","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..P45866...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abbc25ad08ccc1b2d785bc1812d8faa4d50f401055c8d3ce6d11bb3b0958223be","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...55922,"originA...."f

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1566
Entropy (8bit):	6.333645041775045
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSmGtLXnIgm/pnxQwRlszT5sKhia3eHVVPNZTo4amhuj3pOOcUb2mi7:GUpOx+GnR653etZTo445edHd
MD5:	E0D4B19F831D99C8BB96EDC487579773
SHA1:	B122A0845DA3AC6F5FC27EA1DBAAA75DE12F7D66
SHA-256:	BB182E2ABB8B812BE3E1715F1BC8C7234FFEB2A6AF7121BF9529B424BB2EF202
SHA-512:	139F1E5287883D332E36356C53101D1E0FAB8A804201FB2C68F473FAF20B3770B3287B9B69B58851EAA71D4CBB4362C7BF4A809F431C7E812C44FA9219264178
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{f2a203b2-e484-488d-b46c-4a5247da4fa6}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1732416583423,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...4b3ac14b-43e5-4896-86e8-9e7d502ce1b5","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..P45866...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abbc25ad08ccc1b2d785bc1812d8faa4d50f401055c8d3ce6d11bb3b0958223be","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...55922,"originA...."f

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1566
Entropy (8bit):	6.333645041775045
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSmGtLXnIgm/pnxQwRlszT5sKhia3eHVVPNZTo4amhuj3pOOcUb2mi7:GUpOx+GnR653etZTo445edHd
MD5:	E0D4B19F831D99C8BB96EDC487579773
SHA1:	B122A0845DA3AC6F5FC27EA1DBAAA75DE12F7D66
SHA-256:	BB182E2ABB8B812BE3E1715F1BC8C7234FFEB2A6AF7121BF9529B424BB2EF202
SHA-512:	139F1E5287883D332E36356C53101D1E0FAB8A804201FB2C68F473FAF20B3770B3287B9B69B58851EAA71D4CBB4362C7BF4A809F431C7E812C44FA9219264178
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{f2a203b2-e484-488d-b46c-4a5247da4fa6}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1732416583423,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...4b3ac14b-43e5-4896-86e8-9e7d502ce1b5","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..P45866...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abbc25ad08ccc1b2d785bc1812d8faa4d50f401055c8d3ce6d11bb3b0958223be","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...55922,"originA...."f

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.036930621315484
Encrypted:	false
SSDEEP:	48:YrSAYRceUQZpExB1+anO8e6WCVhhOjVkWAYzzc8rYMsku7f86SLAVL7J5FtsfAct:ycRc+TEr5ZwoIhzzcHvbw6Kkdrc2Rn27
MD5:	94B9453D4277EA90C0C09867C91DA7C2
SHA1:	3ECEE6754EF55B0002D862EA7572D0023586427A
SHA-256:	354A8A07E1D2D9CB38CBFB43ED9904C2076E1096D2F62076583F00E9F20335F8
SHA-512:	51955A77CD64E9543A7802C2EC47B677B6F41FAC22FF32FAA3DD6A78188E35BD380D9C72C0D79EF06AEFD2D38EC2ABEDD909779AB3DF8BDD318506D572A06787
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-11-24T02:49:26.383Z","profileAgeCreated":1696491685971,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.036930621315484
Encrypted:	false
SSDEEP:	48:YrSAYRceUQZpExB1+anO8e6WCVhhOjVkWAYzzc8rYMsku7f86SLAVL7J5FtsfAct:ycRc+TEr5ZwoIhzzcHvbw6Kkdrc2Rn27
MD5:	94B9453D4277EA90C0C09867C91DA7C2
SHA1:	3ECEE6754EF55B0002D862EA7572D0023586427A
SHA-256:	354A8A07E1D2D9CB38CBFB43ED9904C2076E1096D2F62076583F00E9F20335F8
SHA-512:	51955A77CD64E9543A7802C2EC47B677B6F41FAC22FF32FAA3DD6A78188E35BD380D9C72C0D79EF06AEFD2D38EC2ABEDD909779AB3DF8BDD318506D572A06787
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-11-24T02:49:26.383Z","profileAgeCreated":1696491685971,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.590292406961086
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	921'600 bytes
MD5:	163c161c40d81abcf7762b5fe1e069f9
SHA1:	69abfd5ffb416aba8ec059fd0b10b90a15f1d6e2
SHA256:	e18eabddf7ffd031c8d469f61ef79a69c7ed5fc4c0b0b083f352306c19a53b1d
SHA512:	d7aeed672a002d87bc8776e3cbc574e0f336b8152f199cdeeeba845054239f57c3468758205abcd29716e6c4f35a23cbec8a57d93e372b1c9b258d80623e2669
SSDEEP:	12288:zqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgaUTg:zqDEvCTbMWu7rQYlBQcBiT6rprG8a0g
TLSH:	E2159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x674279AB [Sun Nov 24 00:56:11 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F75CCCD8183h
jmp 00007F75CCCD7A8Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F75CCCD7C6Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F75CCCD7C3Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F75CCCDA82Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F75CCCDA878h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F75CCCDA861h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0xa5a0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xdf000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0xa5a0	0xa600	0ff3b32de5b340e502b8654c9b9a6389	False	0.3604103915662651	data	5.567648895585638	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xdf000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x1868	data			1.0017605633802817
RT_GROUP_ICON	0xde020	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xde098	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xde0ac	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xde0c0	0x14	data	English	Great Britain	1.25
RT_VERSION	0xde0d4	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xde1b0	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 24, 2024 02:14:13.800081968 CET	49707	443	192.168.2.7	35.190.72.216
Nov 24, 2024 02:14:13.800106049 CET	443	49707	35.190.72.216	192.168.2.7
Nov 24, 2024 02:14:13.800304890 CET	49707	443	192.168.2.7	35.190.72.216
Nov 24, 2024 02:14:13.804404020 CET	49707	443	192.168.2.7	35.190.72.216
Nov 24, 2024 02:14:13.804418087 CET	443	49707	35.190.72.216	192.168.2.7
Nov 24, 2024 02:14:14.736978054 CET	49709	443	192.168.2.7	142.250.181.78
Nov 24, 2024 02:14:14.737023115 CET	443	49709	142.250.181.78	192.168.2.7
Nov 24, 2024 02:14:14.737209082 CET	49709	443	192.168.2.7	142.250.181.78
Nov 24, 2024 02:14:14.738666058 CET	49709	443	192.168.2.7	142.250.181.78
Nov 24, 2024 02:14:14.738682032 CET	443	49709	142.250.181.78	192.168.2.7
Nov 24, 2024 02:14:14.938561916 CET	49710	443	192.168.2.7	142.250.181.78
Nov 24, 2024 02:14:14.938597918 CET	443	49710	142.250.181.78	192.168.2.7
Nov 24, 2024 02:14:14.944617033 CET	49710	443	192.168.2.7	142.250.181.78
Nov 24, 2024 02:14:14.946254015 CET	49710	443	192.168.2.7	142.250.181.78
Nov 24, 2024 02:14:14.946266890 CET	443	49710	142.250.181.78	192.168.2.7
Nov 24, 2024 02:14:15.029424906 CET	443	49707	35.190.72.216	192.168.2.7
Nov 24, 2024 02:14:15.029496908 CET	49707	443	192.168.2.7	35.190.72.216
Nov 24, 2024 02:14:15.037286043 CET	49707	443	192.168.2.7	35.190.72.216
Nov 24, 2024 02:14:15.037297964 CET	443	49707	35.190.72.216	192.168.2.7
Nov 24, 2024 02:14:15.037409067 CET	49707	443	192.168.2.7	35.190.72.216
Nov 24, 2024 02:14:15.037530899 CET	443	49707	35.190.72.216	192.168.2.7
Nov 24, 2024 02:14:15.037585020 CET	49707	443	192.168.2.7	35.190.72.216
Nov 24, 2024 02:14:15.056804895 CET	49712	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:14:15.176318884 CET	80	49712	34.107.221.82	192.168.2.7
Nov 24, 2024 02:14:15.183012009 CET	49712	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:14:15.183216095 CET	49712	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:14:15.302618980 CET	80	49712	34.107.221.82	192.168.2.7
Nov 24, 2024 02:14:15.639913082 CET	49713	443	192.168.2.7	34.117.188.166
Nov 24, 2024 02:14:15.639980078 CET	443	49713	34.117.188.166	192.168.2.7
Nov 24, 2024 02:14:15.641823053 CET	49713	443	192.168.2.7	34.117.188.166
Nov 24, 2024 02:14:15.643341064 CET	49713	443	192.168.2.7	34.117.188.166
Nov 24, 2024 02:14:15.643373966 CET	443	49713	34.117.188.166	192.168.2.7
Nov 24, 2024 02:14:15.804356098 CET	49714	443	192.168.2.7	34.117.188.166
Nov 24, 2024 02:14:15.804408073 CET	443	49714	34.117.188.166	192.168.2.7
Nov 24, 2024 02:14:15.804585934 CET	49714	443	192.168.2.7	34.117.188.166
Nov 24, 2024 02:14:15.806035042 CET	49714	443	192.168.2.7	34.117.188.166
Nov 24, 2024 02:14:15.806052923 CET	443	49714	34.117.188.166	192.168.2.7
Nov 24, 2024 02:14:15.806391954 CET	49715	443	192.168.2.7	35.244.181.201
Nov 24, 2024 02:14:15.806402922 CET	443	49715	35.244.181.201	192.168.2.7
Nov 24, 2024 02:14:15.806561947 CET	49715	443	192.168.2.7	35.244.181.201
Nov 24, 2024 02:14:15.806679010 CET	49715	443	192.168.2.7	35.244.181.201
Nov 24, 2024 02:14:15.806689978 CET	443	49715	35.244.181.201	192.168.2.7
Nov 24, 2024 02:14:15.819331884 CET	49716	443	192.168.2.7	34.160.144.191
Nov 24, 2024 02:14:15.819360971 CET	443	49716	34.160.144.191	192.168.2.7
Nov 24, 2024 02:14:15.819451094 CET	49716	443	192.168.2.7	34.160.144.191
Nov 24, 2024 02:14:15.819560051 CET	49716	443	192.168.2.7	34.160.144.191
Nov 24, 2024 02:14:15.819572926 CET	443	49716	34.160.144.191	192.168.2.7
Nov 24, 2024 02:14:16.269052029 CET	80	49712	34.107.221.82	192.168.2.7
Nov 24, 2024 02:14:16.269298077 CET	49712	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:14:16.389136076 CET	80	49712	34.107.221.82	192.168.2.7
Nov 24, 2024 02:14:16.390729904 CET	49712	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:14:16.546360016 CET	49717	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:14:16.665797949 CET	80	49717	34.107.221.82	192.168.2.7
Nov 24, 2024 02:14:16.667073965 CET	49717	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:14:16.667258978 CET	49717	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:14:16.738945007 CET	443	49709	142.250.181.78	192.168.2.7
Nov 24, 2024 02:14:16.739984989 CET	443	49709	142.250.181.78	192.168.2.7
Nov 24, 2024 02:14:16.740529060 CET	443	49710	142.250.181.78	192.168.2.7
Nov 24, 2024 02:14:16.741542101 CET	443	49710	142.250.181.78	192.168.2.7
Nov 24, 2024 02:14:16.747349024 CET	443	49709	142.250.181.78	192.168.2.7
Nov 24, 2024 02:14:16.749805927 CET	49709	443	192.168.2.7	142.250.181.78
Nov 24, 2024 02:14:16.758683920 CET	49710	443	192.168.2.7	142.250.181.78
Nov 24, 2024 02:14:16.758696079 CET	443	49710	142.250.181.78	192.168.2.7
Nov 24, 2024 02:14:16.762094975 CET	49709	443	192.168.2.7	142.250.181.78
Nov 24, 2024 02:14:16.762116909 CET	443	49709	142.250.181.78	192.168.2.7
Nov 24, 2024 02:14:16.762181997 CET	49709	443	192.168.2.7	142.250.181.78
Nov 24, 2024 02:14:16.762429953 CET	443	49709	142.250.181.78	192.168.2.7
Nov 24, 2024 02:14:16.764774084 CET	49710	443	192.168.2.7	142.250.181.78
Nov 24, 2024 02:14:16.764787912 CET	443	49710	142.250.181.78	192.168.2.7
Nov 24, 2024 02:14:16.764873028 CET	49710	443	192.168.2.7	142.250.181.78
Nov 24, 2024 02:14:16.764971972 CET	49709	443	192.168.2.7	142.250.181.78
Nov 24, 2024 02:14:16.765057087 CET	443	49710	142.250.181.78	192.168.2.7
Nov 24, 2024 02:14:16.765264034 CET	49710	443	192.168.2.7	142.250.181.78
Nov 24, 2024 02:14:16.786643982 CET	80	49717	34.107.221.82	192.168.2.7
Nov 24, 2024 02:14:16.958302975 CET	443	49713	34.117.188.166	192.168.2.7
Nov 24, 2024 02:14:16.958524942 CET	49713	443	192.168.2.7	34.117.188.166
Nov 24, 2024 02:14:16.972995043 CET	49713	443	192.168.2.7	34.117.188.166
Nov 24, 2024 02:14:16.973022938 CET	443	49713	34.117.188.166	192.168.2.7
Nov 24, 2024 02:14:16.973095894 CET	49713	443	192.168.2.7	34.117.188.166
Nov 24, 2024 02:14:16.973164082 CET	443	49713	34.117.188.166	192.168.2.7
Nov 24, 2024 02:14:16.973424911 CET	49718	443	192.168.2.7	34.117.188.166
Nov 24, 2024 02:14:16.973457098 CET	443	49718	34.117.188.166	192.168.2.7
Nov 24, 2024 02:14:16.973550081 CET	49713	443	192.168.2.7	34.117.188.166
Nov 24, 2024 02:14:16.973573923 CET	49718	443	192.168.2.7	34.117.188.166
Nov 24, 2024 02:14:16.974704981 CET	49718	443	192.168.2.7	34.117.188.166
Nov 24, 2024 02:14:16.974720001 CET	443	49718	34.117.188.166	192.168.2.7
Nov 24, 2024 02:14:17.066742897 CET	443	49715	35.244.181.201	192.168.2.7
Nov 24, 2024 02:14:17.066916943 CET	49715	443	192.168.2.7	35.244.181.201
Nov 24, 2024 02:14:17.069998026 CET	49715	443	192.168.2.7	35.244.181.201
Nov 24, 2024 02:14:17.070014954 CET	443	49715	35.244.181.201	192.168.2.7
Nov 24, 2024 02:14:17.070281029 CET	443	49715	35.244.181.201	192.168.2.7
Nov 24, 2024 02:14:17.072371006 CET	49715	443	192.168.2.7	35.244.181.201
Nov 24, 2024 02:14:17.072451115 CET	49715	443	192.168.2.7	35.244.181.201
Nov 24, 2024 02:14:17.072530031 CET	443	49715	35.244.181.201	192.168.2.7
Nov 24, 2024 02:14:17.072592974 CET	49715	443	192.168.2.7	35.244.181.201
Nov 24, 2024 02:14:17.072613955 CET	49715	443	192.168.2.7	35.244.181.201
Nov 24, 2024 02:14:17.079756021 CET	443	49716	34.160.144.191	192.168.2.7
Nov 24, 2024 02:14:17.079889059 CET	49716	443	192.168.2.7	34.160.144.191
Nov 24, 2024 02:14:17.082448006 CET	49716	443	192.168.2.7	34.160.144.191
Nov 24, 2024 02:14:17.082457066 CET	443	49716	34.160.144.191	192.168.2.7
Nov 24, 2024 02:14:17.083123922 CET	443	49716	34.160.144.191	192.168.2.7
Nov 24, 2024 02:14:17.084393978 CET	49716	443	192.168.2.7	34.160.144.191
Nov 24, 2024 02:14:17.084486961 CET	49716	443	192.168.2.7	34.160.144.191
Nov 24, 2024 02:14:17.084537029 CET	443	49716	34.160.144.191	192.168.2.7
Nov 24, 2024 02:14:17.084811926 CET	49719	443	192.168.2.7	34.160.144.191
Nov 24, 2024 02:14:17.084858894 CET	443	49719	34.160.144.191	192.168.2.7
Nov 24, 2024 02:14:17.084901094 CET	49716	443	192.168.2.7	34.160.144.191
Nov 24, 2024 02:14:17.084917068 CET	49716	443	192.168.2.7	34.160.144.191
Nov 24, 2024 02:14:17.085129023 CET	49719	443	192.168.2.7	34.160.144.191
Nov 24, 2024 02:14:17.085270882 CET	49719	443	192.168.2.7	34.160.144.191
Nov 24, 2024 02:14:17.085282087 CET	443	49719	34.160.144.191	192.168.2.7
Nov 24, 2024 02:14:17.120156050 CET	443	49714	34.117.188.166	192.168.2.7
Nov 24, 2024 02:14:17.121187925 CET	49714	443	192.168.2.7	34.117.188.166
Nov 24, 2024 02:14:17.125077009 CET	49714	443	192.168.2.7	34.117.188.166
Nov 24, 2024 02:14:17.125091076 CET	443	49714	34.117.188.166	192.168.2.7
Nov 24, 2024 02:14:17.125152111 CET	49714	443	192.168.2.7	34.117.188.166
Nov 24, 2024 02:14:17.125299931 CET	443	49714	34.117.188.166	192.168.2.7
Nov 24, 2024 02:14:17.126548052 CET	49714	443	192.168.2.7	34.117.188.166
Nov 24, 2024 02:14:17.259752035 CET	49720	443	192.168.2.7	34.117.188.166
Nov 24, 2024 02:14:17.259788990 CET	443	49720	34.117.188.166	192.168.2.7
Nov 24, 2024 02:14:17.260898113 CET	49721	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:14:17.268141031 CET	49720	443	192.168.2.7	34.117.188.166
Nov 24, 2024 02:14:17.269488096 CET	49720	443	192.168.2.7	34.117.188.166
Nov 24, 2024 02:14:17.269504070 CET	443	49720	34.117.188.166	192.168.2.7
Nov 24, 2024 02:14:17.380414009 CET	80	49721	34.107.221.82	192.168.2.7
Nov 24, 2024 02:14:17.380485058 CET	49721	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:14:17.380647898 CET	49721	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:14:17.500010014 CET	80	49721	34.107.221.82	192.168.2.7
Nov 24, 2024 02:14:17.799278975 CET	80	49717	34.107.221.82	192.168.2.7
Nov 24, 2024 02:14:17.799582005 CET	49717	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:14:17.919446945 CET	80	49717	34.107.221.82	192.168.2.7
Nov 24, 2024 02:14:17.919553995 CET	49717	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:14:18.191698074 CET	443	49718	34.117.188.166	192.168.2.7
Nov 24, 2024 02:14:18.191773891 CET	49718	443	192.168.2.7	34.117.188.166
Nov 24, 2024 02:14:18.195621014 CET	49718	443	192.168.2.7	34.117.188.166
Nov 24, 2024 02:14:18.195627928 CET	443	49718	34.117.188.166	192.168.2.7
Nov 24, 2024 02:14:18.195704937 CET	49718	443	192.168.2.7	34.117.188.166
Nov 24, 2024 02:14:18.195771933 CET	443	49718	34.117.188.166	192.168.2.7
Nov 24, 2024 02:14:18.195822954 CET	49718	443	192.168.2.7	34.117.188.166
Nov 24, 2024 02:14:18.340826988 CET	443	49719	34.160.144.191	192.168.2.7
Nov 24, 2024 02:14:18.340898991 CET	49719	443	192.168.2.7	34.160.144.191
Nov 24, 2024 02:14:18.344014883 CET	49719	443	192.168.2.7	34.160.144.191
Nov 24, 2024 02:14:18.344023943 CET	443	49719	34.160.144.191	192.168.2.7
Nov 24, 2024 02:14:18.344269991 CET	443	49719	34.160.144.191	192.168.2.7
Nov 24, 2024 02:14:18.346597910 CET	49719	443	192.168.2.7	34.160.144.191
Nov 24, 2024 02:14:18.346664906 CET	49719	443	192.168.2.7	34.160.144.191
Nov 24, 2024 02:14:18.346734047 CET	443	49719	34.160.144.191	192.168.2.7
Nov 24, 2024 02:14:18.346875906 CET	49719	443	192.168.2.7	34.160.144.191
Nov 24, 2024 02:14:18.465965033 CET	80	49721	34.107.221.82	192.168.2.7
Nov 24, 2024 02:14:18.486434937 CET	443	49720	34.117.188.166	192.168.2.7
Nov 24, 2024 02:14:18.486449003 CET	443	49720	34.117.188.166	192.168.2.7
Nov 24, 2024 02:14:18.491993904 CET	49720	443	192.168.2.7	34.117.188.166
Nov 24, 2024 02:14:18.496191025 CET	49720	443	192.168.2.7	34.117.188.166
Nov 24, 2024 02:14:18.496198893 CET	443	49720	34.117.188.166	192.168.2.7
Nov 24, 2024 02:14:18.496254921 CET	49720	443	192.168.2.7	34.117.188.166
Nov 24, 2024 02:14:18.496383905 CET	443	49720	34.117.188.166	192.168.2.7
Nov 24, 2024 02:14:18.496624947 CET	49729	443	192.168.2.7	34.117.188.166
Nov 24, 2024 02:14:18.496649981 CET	443	49729	34.117.188.166	192.168.2.7
Nov 24, 2024 02:14:18.503159046 CET	49720	443	192.168.2.7	34.117.188.166
Nov 24, 2024 02:14:18.503197908 CET	49729	443	192.168.2.7	34.117.188.166
Nov 24, 2024 02:14:18.504547119 CET	49729	443	192.168.2.7	34.117.188.166
Nov 24, 2024 02:14:18.504558086 CET	443	49729	34.117.188.166	192.168.2.7
Nov 24, 2024 02:14:18.509592056 CET	49721	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:14:19.725919962 CET	443	49729	34.117.188.166	192.168.2.7
Nov 24, 2024 02:14:19.725933075 CET	443	49729	34.117.188.166	192.168.2.7
Nov 24, 2024 02:14:19.725985050 CET	49729	443	192.168.2.7	34.117.188.166
Nov 24, 2024 02:14:19.730179071 CET	49729	443	192.168.2.7	34.117.188.166
Nov 24, 2024 02:14:19.730187893 CET	443	49729	34.117.188.166	192.168.2.7
Nov 24, 2024 02:14:19.730282068 CET	49729	443	192.168.2.7	34.117.188.166
Nov 24, 2024 02:14:19.730325937 CET	443	49729	34.117.188.166	192.168.2.7
Nov 24, 2024 02:14:19.730392933 CET	49729	443	192.168.2.7	34.117.188.166
Nov 24, 2024 02:14:20.315186977 CET	49735	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:14:20.434681892 CET	80	49735	34.107.221.82	192.168.2.7
Nov 24, 2024 02:14:20.434751987 CET	49735	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:14:20.434897900 CET	49735	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:14:20.509187937 CET	49721	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:14:20.554472923 CET	80	49735	34.107.221.82	192.168.2.7
Nov 24, 2024 02:14:20.628595114 CET	80	49721	34.107.221.82	192.168.2.7
Nov 24, 2024 02:14:20.824060917 CET	80	49721	34.107.221.82	192.168.2.7
Nov 24, 2024 02:14:20.874255896 CET	49721	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:14:21.522855043 CET	80	49735	34.107.221.82	192.168.2.7
Nov 24, 2024 02:14:21.576348066 CET	49735	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:14:24.566004992 CET	49735	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:14:24.632255077 CET	49749	443	192.168.2.7	34.107.243.93
Nov 24, 2024 02:14:24.632292032 CET	443	49749	34.107.243.93	192.168.2.7
Nov 24, 2024 02:14:24.632705927 CET	49749	443	192.168.2.7	34.107.243.93
Nov 24, 2024 02:14:24.633907080 CET	49749	443	192.168.2.7	34.107.243.93
Nov 24, 2024 02:14:24.633922100 CET	443	49749	34.107.243.93	192.168.2.7
Nov 24, 2024 02:14:24.685676098 CET	80	49735	34.107.221.82	192.168.2.7
Nov 24, 2024 02:14:24.798031092 CET	49750	443	192.168.2.7	35.244.181.201
Nov 24, 2024 02:14:24.798063040 CET	443	49750	35.244.181.201	192.168.2.7
Nov 24, 2024 02:14:24.798190117 CET	49750	443	192.168.2.7	35.244.181.201
Nov 24, 2024 02:14:24.798322916 CET	49750	443	192.168.2.7	35.244.181.201
Nov 24, 2024 02:14:24.798340082 CET	443	49750	35.244.181.201	192.168.2.7
Nov 24, 2024 02:14:24.867506027 CET	49751	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:14:24.867539883 CET	443	49751	34.120.208.123	192.168.2.7
Nov 24, 2024 02:14:24.867836952 CET	49751	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:14:24.868912935 CET	49751	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:14:24.868925095 CET	443	49751	34.120.208.123	192.168.2.7
Nov 24, 2024 02:14:24.881262064 CET	80	49735	34.107.221.82	192.168.2.7
Nov 24, 2024 02:14:24.923778057 CET	49735	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:14:25.142431974 CET	49752	443	192.168.2.7	34.149.100.209
Nov 24, 2024 02:14:25.142469883 CET	443	49752	34.149.100.209	192.168.2.7
Nov 24, 2024 02:14:25.147665977 CET	49752	443	192.168.2.7	34.149.100.209
Nov 24, 2024 02:14:25.149065971 CET	49752	443	192.168.2.7	34.149.100.209
Nov 24, 2024 02:14:25.149080038 CET	443	49752	34.149.100.209	192.168.2.7
Nov 24, 2024 02:14:25.847752094 CET	443	49749	34.107.243.93	192.168.2.7
Nov 24, 2024 02:14:25.847822905 CET	49749	443	192.168.2.7	34.107.243.93
Nov 24, 2024 02:14:26.055336952 CET	443	49750	35.244.181.201	192.168.2.7
Nov 24, 2024 02:14:26.055423021 CET	49750	443	192.168.2.7	35.244.181.201
Nov 24, 2024 02:14:26.185158968 CET	443	49751	34.120.208.123	192.168.2.7
Nov 24, 2024 02:14:26.185239077 CET	49751	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:14:26.288419962 CET	49750	443	192.168.2.7	35.244.181.201
Nov 24, 2024 02:14:26.288438082 CET	443	49750	35.244.181.201	192.168.2.7
Nov 24, 2024 02:14:26.288762093 CET	443	49750	35.244.181.201	192.168.2.7
Nov 24, 2024 02:14:26.292557001 CET	49749	443	192.168.2.7	34.107.243.93
Nov 24, 2024 02:14:26.292572975 CET	443	49749	34.107.243.93	192.168.2.7
Nov 24, 2024 02:14:26.292623043 CET	49749	443	192.168.2.7	34.107.243.93
Nov 24, 2024 02:14:26.292804003 CET	443	49749	34.107.243.93	192.168.2.7
Nov 24, 2024 02:14:26.295186043 CET	49750	443	192.168.2.7	35.244.181.201
Nov 24, 2024 02:14:26.295248985 CET	49750	443	192.168.2.7	35.244.181.201
Nov 24, 2024 02:14:26.295430899 CET	443	49750	35.244.181.201	192.168.2.7
Nov 24, 2024 02:14:26.297463894 CET	49751	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:14:26.297477007 CET	443	49751	34.120.208.123	192.168.2.7
Nov 24, 2024 02:14:26.297535896 CET	49751	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:14:26.297678947 CET	443	49751	34.120.208.123	192.168.2.7
Nov 24, 2024 02:14:26.300426006 CET	49750	443	192.168.2.7	35.244.181.201
Nov 24, 2024 02:14:26.300443888 CET	49749	443	192.168.2.7	34.107.243.93
Nov 24, 2024 02:14:26.300453901 CET	49750	443	192.168.2.7	35.244.181.201
Nov 24, 2024 02:14:26.300474882 CET	49751	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:14:26.456002951 CET	443	49752	34.149.100.209	192.168.2.7
Nov 24, 2024 02:14:26.456072092 CET	49752	443	192.168.2.7	34.149.100.209
Nov 24, 2024 02:14:26.828214884 CET	49752	443	192.168.2.7	34.149.100.209
Nov 24, 2024 02:14:26.828233957 CET	443	49752	34.149.100.209	192.168.2.7
Nov 24, 2024 02:14:26.828293085 CET	49752	443	192.168.2.7	34.149.100.209
Nov 24, 2024 02:14:26.828535080 CET	443	49752	34.149.100.209	192.168.2.7
Nov 24, 2024 02:14:26.831885099 CET	49752	443	192.168.2.7	34.149.100.209
Nov 24, 2024 02:14:26.833096027 CET	49721	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:14:26.952513933 CET	80	49721	34.107.221.82	192.168.2.7
Nov 24, 2024 02:14:26.977412939 CET	49760	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:14:26.977442026 CET	443	49760	34.120.208.123	192.168.2.7
Nov 24, 2024 02:14:26.977696896 CET	49760	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:14:26.978898048 CET	49760	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:14:26.978912115 CET	443	49760	34.120.208.123	192.168.2.7
Nov 24, 2024 02:14:27.147377014 CET	80	49721	34.107.221.82	192.168.2.7
Nov 24, 2024 02:14:27.203005075 CET	49721	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:14:27.248476028 CET	49735	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:14:27.367930889 CET	80	49735	34.107.221.82	192.168.2.7
Nov 24, 2024 02:14:27.652901888 CET	49761	443	192.168.2.7	34.149.100.209
Nov 24, 2024 02:14:27.652921915 CET	443	49761	34.149.100.209	192.168.2.7
Nov 24, 2024 02:14:27.653060913 CET	49761	443	192.168.2.7	34.149.100.209
Nov 24, 2024 02:14:27.653183937 CET	49761	443	192.168.2.7	34.149.100.209
Nov 24, 2024 02:14:27.653193951 CET	443	49761	34.149.100.209	192.168.2.7
Nov 24, 2024 02:14:27.666125059 CET	80	49735	34.107.221.82	192.168.2.7
Nov 24, 2024 02:14:27.726558924 CET	49735	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:14:28.195360899 CET	443	49760	34.120.208.123	192.168.2.7
Nov 24, 2024 02:14:28.201349020 CET	49760	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:14:28.909441948 CET	443	49761	34.149.100.209	192.168.2.7
Nov 24, 2024 02:14:28.909730911 CET	49761	443	192.168.2.7	34.149.100.209
Nov 24, 2024 02:14:30.768959999 CET	49761	443	192.168.2.7	34.149.100.209
Nov 24, 2024 02:14:30.769006014 CET	443	49761	34.149.100.209	192.168.2.7
Nov 24, 2024 02:14:30.769443035 CET	443	49761	34.149.100.209	192.168.2.7
Nov 24, 2024 02:14:30.776556015 CET	49760	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:14:30.776559114 CET	49761	443	192.168.2.7	34.149.100.209
Nov 24, 2024 02:14:30.776575089 CET	443	49760	34.120.208.123	192.168.2.7
Nov 24, 2024 02:14:30.776680946 CET	49760	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:14:30.776809931 CET	49761	443	192.168.2.7	34.149.100.209
Nov 24, 2024 02:14:30.776884079 CET	443	49761	34.149.100.209	192.168.2.7
Nov 24, 2024 02:14:30.777169943 CET	49770	443	192.168.2.7	34.149.100.209
Nov 24, 2024 02:14:30.777194977 CET	443	49770	34.149.100.209	192.168.2.7
Nov 24, 2024 02:14:30.777242899 CET	443	49760	34.120.208.123	192.168.2.7
Nov 24, 2024 02:14:30.778788090 CET	49761	443	192.168.2.7	34.149.100.209
Nov 24, 2024 02:14:30.778821945 CET	49761	443	192.168.2.7	34.149.100.209
Nov 24, 2024 02:14:30.778853893 CET	49760	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:14:30.778923035 CET	49770	443	192.168.2.7	34.149.100.209
Nov 24, 2024 02:14:30.779015064 CET	49770	443	192.168.2.7	34.149.100.209
Nov 24, 2024 02:14:30.779023886 CET	443	49770	34.149.100.209	192.168.2.7
Nov 24, 2024 02:14:30.806032896 CET	49721	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:14:30.808387995 CET	49771	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:14:30.808446884 CET	443	49771	34.120.208.123	192.168.2.7
Nov 24, 2024 02:14:30.808571100 CET	49771	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:14:30.809942007 CET	49771	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:14:30.809959888 CET	443	49771	34.120.208.123	192.168.2.7
Nov 24, 2024 02:14:30.925564051 CET	80	49721	34.107.221.82	192.168.2.7
Nov 24, 2024 02:14:31.110265017 CET	49774	443	192.168.2.7	34.149.100.209
Nov 24, 2024 02:14:31.110300064 CET	443	49774	34.149.100.209	192.168.2.7
Nov 24, 2024 02:14:31.110428095 CET	49774	443	192.168.2.7	34.149.100.209
Nov 24, 2024 02:14:31.111649036 CET	49774	443	192.168.2.7	34.149.100.209
Nov 24, 2024 02:14:31.111659050 CET	443	49774	34.149.100.209	192.168.2.7
Nov 24, 2024 02:14:31.120743036 CET	80	49721	34.107.221.82	192.168.2.7
Nov 24, 2024 02:14:31.123435974 CET	49735	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:14:31.167570114 CET	49721	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:14:31.242949963 CET	80	49735	34.107.221.82	192.168.2.7
Nov 24, 2024 02:14:31.437627077 CET	80	49735	34.107.221.82	192.168.2.7
Nov 24, 2024 02:14:31.484030008 CET	49735	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:14:31.689529896 CET	49775	443	192.168.2.7	34.107.243.93
Nov 24, 2024 02:14:31.689577103 CET	443	49775	34.107.243.93	192.168.2.7
Nov 24, 2024 02:14:31.689800978 CET	49775	443	192.168.2.7	34.107.243.93
Nov 24, 2024 02:14:31.696816921 CET	49775	443	192.168.2.7	34.107.243.93
Nov 24, 2024 02:14:31.696845055 CET	443	49775	34.107.243.93	192.168.2.7
Nov 24, 2024 02:14:32.066747904 CET	443	49771	34.120.208.123	192.168.2.7
Nov 24, 2024 02:14:32.066828966 CET	49771	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:14:32.071414948 CET	49771	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:14:32.071439028 CET	443	49771	34.120.208.123	192.168.2.7
Nov 24, 2024 02:14:32.071522951 CET	49771	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:14:32.071564913 CET	443	49771	34.120.208.123	192.168.2.7
Nov 24, 2024 02:14:32.072712898 CET	49771	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:14:32.074238062 CET	49721	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:14:32.089185953 CET	443	49770	34.149.100.209	192.168.2.7
Nov 24, 2024 02:14:32.089373112 CET	49770	443	192.168.2.7	34.149.100.209
Nov 24, 2024 02:14:32.091705084 CET	49770	443	192.168.2.7	34.149.100.209
Nov 24, 2024 02:14:32.091712952 CET	443	49770	34.149.100.209	192.168.2.7
Nov 24, 2024 02:14:32.092581987 CET	443	49770	34.149.100.209	192.168.2.7
Nov 24, 2024 02:14:32.094145060 CET	49770	443	192.168.2.7	34.149.100.209
Nov 24, 2024 02:14:32.094229937 CET	49770	443	192.168.2.7	34.149.100.209
Nov 24, 2024 02:14:32.094573021 CET	443	49770	34.149.100.209	192.168.2.7
Nov 24, 2024 02:14:32.094660997 CET	49770	443	192.168.2.7	34.149.100.209
Nov 24, 2024 02:14:32.107871056 CET	49776	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:14:32.107902050 CET	443	49776	34.120.208.123	192.168.2.7
Nov 24, 2024 02:14:32.108139992 CET	49776	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:14:32.108249903 CET	49776	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:14:32.108263969 CET	443	49776	34.120.208.123	192.168.2.7
Nov 24, 2024 02:14:32.110009909 CET	49777	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:14:32.110021114 CET	443	49777	34.120.208.123	192.168.2.7
Nov 24, 2024 02:14:32.111495018 CET	49777	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:14:32.111625910 CET	49777	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:14:32.111638069 CET	443	49777	34.120.208.123	192.168.2.7
Nov 24, 2024 02:14:32.116246939 CET	49778	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:14:32.116257906 CET	443	49778	34.120.208.123	192.168.2.7
Nov 24, 2024 02:14:32.116337061 CET	49778	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:14:32.117801905 CET	49778	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:14:32.117814064 CET	443	49778	34.120.208.123	192.168.2.7
Nov 24, 2024 02:14:32.193675041 CET	80	49721	34.107.221.82	192.168.2.7
Nov 24, 2024 02:14:32.324722052 CET	443	49774	34.149.100.209	192.168.2.7
Nov 24, 2024 02:14:32.324805021 CET	49774	443	192.168.2.7	34.149.100.209
Nov 24, 2024 02:14:32.329121113 CET	49774	443	192.168.2.7	34.149.100.209
Nov 24, 2024 02:14:32.329130888 CET	443	49774	34.149.100.209	192.168.2.7
Nov 24, 2024 02:14:32.329216957 CET	49774	443	192.168.2.7	34.149.100.209
Nov 24, 2024 02:14:32.329329967 CET	443	49774	34.149.100.209	192.168.2.7
Nov 24, 2024 02:14:32.329430103 CET	49774	443	192.168.2.7	34.149.100.209
Nov 24, 2024 02:14:32.335320950 CET	49779	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:14:32.335367918 CET	443	49779	34.120.208.123	192.168.2.7
Nov 24, 2024 02:14:32.336298943 CET	49779	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:14:32.336446047 CET	49779	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:14:32.336462975 CET	443	49779	34.120.208.123	192.168.2.7
Nov 24, 2024 02:14:32.337066889 CET	49780	443	192.168.2.7	34.149.100.209
Nov 24, 2024 02:14:32.337075949 CET	443	49780	34.149.100.209	192.168.2.7
Nov 24, 2024 02:14:32.337146044 CET	49780	443	192.168.2.7	34.149.100.209
Nov 24, 2024 02:14:32.337291956 CET	49780	443	192.168.2.7	34.149.100.209
Nov 24, 2024 02:14:32.337306023 CET	443	49780	34.149.100.209	192.168.2.7
Nov 24, 2024 02:14:32.388693094 CET	80	49721	34.107.221.82	192.168.2.7
Nov 24, 2024 02:14:32.391288042 CET	49735	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:14:32.440062046 CET	49721	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:14:32.510726929 CET	80	49735	34.107.221.82	192.168.2.7
Nov 24, 2024 02:14:32.706118107 CET	80	49735	34.107.221.82	192.168.2.7
Nov 24, 2024 02:14:32.756544113 CET	49735	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:14:32.951735973 CET	443	49775	34.107.243.93	192.168.2.7
Nov 24, 2024 02:14:32.951813936 CET	49775	443	192.168.2.7	34.107.243.93
Nov 24, 2024 02:14:32.956948042 CET	49775	443	192.168.2.7	34.107.243.93
Nov 24, 2024 02:14:32.956948042 CET	49775	443	192.168.2.7	34.107.243.93
Nov 24, 2024 02:14:32.956964970 CET	443	49775	34.107.243.93	192.168.2.7
Nov 24, 2024 02:14:32.957137108 CET	443	49775	34.107.243.93	192.168.2.7
Nov 24, 2024 02:14:32.957930088 CET	49775	443	192.168.2.7	34.107.243.93
Nov 24, 2024 02:14:32.960962057 CET	49721	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:14:33.080421925 CET	80	49721	34.107.221.82	192.168.2.7
Nov 24, 2024 02:14:33.276514053 CET	80	49721	34.107.221.82	192.168.2.7
Nov 24, 2024 02:14:33.280165911 CET	49735	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:14:33.320554972 CET	49721	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:14:33.373888969 CET	443	49778	34.120.208.123	192.168.2.7
Nov 24, 2024 02:14:33.374305010 CET	49778	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:14:33.375796080 CET	443	49776	34.120.208.123	192.168.2.7
Nov 24, 2024 02:14:33.375926018 CET	49776	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:14:33.379981041 CET	49776	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:14:33.380009890 CET	443	49776	34.120.208.123	192.168.2.7
Nov 24, 2024 02:14:33.380371094 CET	443	49776	34.120.208.123	192.168.2.7
Nov 24, 2024 02:14:33.382543087 CET	49778	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:14:33.382569075 CET	443	49778	34.120.208.123	192.168.2.7
Nov 24, 2024 02:14:33.382661104 CET	49778	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:14:33.382745028 CET	443	49778	34.120.208.123	192.168.2.7
Nov 24, 2024 02:14:33.382891893 CET	49776	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:14:33.382968903 CET	49776	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:14:33.383054972 CET	443	49776	34.120.208.123	192.168.2.7
Nov 24, 2024 02:14:33.384509087 CET	49776	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:14:33.384546041 CET	49778	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:14:33.384546041 CET	49776	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:14:33.385133028 CET	49721	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:14:33.388330936 CET	49786	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:14:33.388365984 CET	443	49786	34.120.208.123	192.168.2.7
Nov 24, 2024 02:14:33.388725042 CET	49786	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:14:33.390214920 CET	49786	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:14:33.390229940 CET	443	49786	34.120.208.123	192.168.2.7
Nov 24, 2024 02:14:33.399610043 CET	80	49735	34.107.221.82	192.168.2.7
Nov 24, 2024 02:14:33.413847923 CET	443	49777	34.120.208.123	192.168.2.7
Nov 24, 2024 02:14:33.414267063 CET	49777	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:14:33.417977095 CET	49777	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:14:33.417990923 CET	443	49777	34.120.208.123	192.168.2.7
Nov 24, 2024 02:14:33.418248892 CET	443	49777	34.120.208.123	192.168.2.7
Nov 24, 2024 02:14:33.421291113 CET	49777	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:14:33.421360970 CET	49777	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:14:33.421463966 CET	443	49777	34.120.208.123	192.168.2.7
Nov 24, 2024 02:14:33.425594091 CET	49777	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:14:33.504580975 CET	80	49721	34.107.221.82	192.168.2.7
Nov 24, 2024 02:14:33.593365908 CET	443	49780	34.149.100.209	192.168.2.7
Nov 24, 2024 02:14:33.593439102 CET	49780	443	192.168.2.7	34.149.100.209
Nov 24, 2024 02:14:33.594074011 CET	80	49735	34.107.221.82	192.168.2.7
Nov 24, 2024 02:14:33.594110012 CET	443	49779	34.120.208.123	192.168.2.7
Nov 24, 2024 02:14:33.595993996 CET	49780	443	192.168.2.7	34.149.100.209
Nov 24, 2024 02:14:33.596004963 CET	443	49780	34.149.100.209	192.168.2.7
Nov 24, 2024 02:14:33.596210957 CET	49779	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:14:33.596280098 CET	443	49780	34.149.100.209	192.168.2.7
Nov 24, 2024 02:14:33.598726988 CET	49779	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:14:33.598732948 CET	443	49779	34.120.208.123	192.168.2.7
Nov 24, 2024 02:14:33.599087954 CET	443	49779	34.120.208.123	192.168.2.7
Nov 24, 2024 02:14:33.600994110 CET	49780	443	192.168.2.7	34.149.100.209
Nov 24, 2024 02:14:33.601078987 CET	49780	443	192.168.2.7	34.149.100.209
Nov 24, 2024 02:14:33.601159096 CET	443	49780	34.149.100.209	192.168.2.7
Nov 24, 2024 02:14:33.601816893 CET	49779	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:14:33.601876974 CET	49779	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:14:33.601989985 CET	443	49779	34.120.208.123	192.168.2.7
Nov 24, 2024 02:14:33.601994991 CET	49780	443	192.168.2.7	34.149.100.209
Nov 24, 2024 02:14:33.602044106 CET	49779	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:14:33.607119083 CET	49787	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:14:33.607147932 CET	443	49787	34.120.208.123	192.168.2.7
Nov 24, 2024 02:14:33.607300997 CET	49787	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:14:33.607556105 CET	49787	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:14:33.607567072 CET	443	49787	34.120.208.123	192.168.2.7
Nov 24, 2024 02:14:33.643559933 CET	49735	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:14:33.699534893 CET	80	49721	34.107.221.82	192.168.2.7
Nov 24, 2024 02:14:33.702310085 CET	49735	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:14:33.743859053 CET	49721	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:14:33.821722984 CET	80	49735	34.107.221.82	192.168.2.7
Nov 24, 2024 02:14:34.018486977 CET	80	49735	34.107.221.82	192.168.2.7
Nov 24, 2024 02:14:34.060359955 CET	49735	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:14:34.653924942 CET	443	49786	34.120.208.123	192.168.2.7
Nov 24, 2024 02:14:34.659373999 CET	443	49786	34.120.208.123	192.168.2.7
Nov 24, 2024 02:14:34.662375927 CET	49786	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:14:34.665846109 CET	49786	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:14:34.665853977 CET	443	49786	34.120.208.123	192.168.2.7
Nov 24, 2024 02:14:34.665935040 CET	49786	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:14:34.666439056 CET	443	49786	34.120.208.123	192.168.2.7
Nov 24, 2024 02:14:34.666898966 CET	49786	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:14:34.668109894 CET	49721	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:14:34.670264006 CET	49789	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:14:34.670305014 CET	443	49789	34.120.208.123	192.168.2.7
Nov 24, 2024 02:14:34.674043894 CET	49789	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:14:34.675211906 CET	49789	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:14:34.675235987 CET	443	49789	34.120.208.123	192.168.2.7
Nov 24, 2024 02:14:34.787519932 CET	80	49721	34.107.221.82	192.168.2.7
Nov 24, 2024 02:14:34.910305023 CET	443	49787	34.120.208.123	192.168.2.7
Nov 24, 2024 02:14:34.910384893 CET	49787	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:14:34.913836956 CET	49787	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:14:34.913849115 CET	443	49787	34.120.208.123	192.168.2.7
Nov 24, 2024 02:14:34.914089918 CET	443	49787	34.120.208.123	192.168.2.7
Nov 24, 2024 02:14:34.916755915 CET	49787	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:14:34.916899920 CET	49787	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:14:34.916903019 CET	443	49787	34.120.208.123	192.168.2.7
Nov 24, 2024 02:14:34.916914940 CET	443	49787	34.120.208.123	192.168.2.7
Nov 24, 2024 02:14:34.984476089 CET	80	49721	34.107.221.82	192.168.2.7
Nov 24, 2024 02:14:34.987592936 CET	49735	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:14:35.025469065 CET	49721	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:14:35.107031107 CET	80	49735	34.107.221.82	192.168.2.7
Nov 24, 2024 02:14:35.123332024 CET	443	49787	34.120.208.123	192.168.2.7
Nov 24, 2024 02:14:35.123405933 CET	49787	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:14:35.302673101 CET	80	49735	34.107.221.82	192.168.2.7
Nov 24, 2024 02:14:35.348504066 CET	49735	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:14:35.939887047 CET	443	49789	34.120.208.123	192.168.2.7
Nov 24, 2024 02:14:35.939996004 CET	49789	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:14:35.944592953 CET	49789	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:14:35.944603920 CET	443	49789	34.120.208.123	192.168.2.7
Nov 24, 2024 02:14:35.944731951 CET	49789	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:14:35.944951057 CET	443	49789	34.120.208.123	192.168.2.7
Nov 24, 2024 02:14:35.946505070 CET	49789	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:14:35.947896957 CET	49721	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:14:36.067425013 CET	80	49721	34.107.221.82	192.168.2.7
Nov 24, 2024 02:14:36.262552977 CET	80	49721	34.107.221.82	192.168.2.7
Nov 24, 2024 02:14:36.272449970 CET	49735	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:14:36.313707113 CET	49721	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:14:36.392143965 CET	80	49735	34.107.221.82	192.168.2.7
Nov 24, 2024 02:14:36.590440989 CET	80	49735	34.107.221.82	192.168.2.7
Nov 24, 2024 02:14:36.652292013 CET	49735	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:14:41.137363911 CET	49805	443	192.168.2.7	35.244.181.201
Nov 24, 2024 02:14:41.137387037 CET	443	49805	35.244.181.201	192.168.2.7
Nov 24, 2024 02:14:41.140070915 CET	49805	443	192.168.2.7	35.244.181.201
Nov 24, 2024 02:14:41.140185118 CET	49805	443	192.168.2.7	35.244.181.201
Nov 24, 2024 02:14:41.140189886 CET	443	49805	35.244.181.201	192.168.2.7
Nov 24, 2024 02:14:41.162451982 CET	49806	443	192.168.2.7	34.149.100.209
Nov 24, 2024 02:14:41.162487984 CET	443	49806	34.149.100.209	192.168.2.7
Nov 24, 2024 02:14:41.165273905 CET	49806	443	192.168.2.7	34.149.100.209
Nov 24, 2024 02:14:41.165390015 CET	49806	443	192.168.2.7	34.149.100.209
Nov 24, 2024 02:14:41.165402889 CET	443	49806	34.149.100.209	192.168.2.7
Nov 24, 2024 02:14:41.169861078 CET	49807	443	192.168.2.7	35.190.72.216
Nov 24, 2024 02:14:41.169894934 CET	443	49807	35.190.72.216	192.168.2.7
Nov 24, 2024 02:14:41.170738935 CET	49807	443	192.168.2.7	35.190.72.216
Nov 24, 2024 02:14:41.172133923 CET	49807	443	192.168.2.7	35.190.72.216
Nov 24, 2024 02:14:41.172157049 CET	443	49807	35.190.72.216	192.168.2.7
Nov 24, 2024 02:14:41.309098959 CET	49808	443	192.168.2.7	35.201.103.21
Nov 24, 2024 02:14:41.309127092 CET	443	49808	35.201.103.21	192.168.2.7
Nov 24, 2024 02:14:41.309478045 CET	49808	443	192.168.2.7	35.201.103.21
Nov 24, 2024 02:14:41.310890913 CET	49808	443	192.168.2.7	35.201.103.21
Nov 24, 2024 02:14:41.310904980 CET	443	49808	35.201.103.21	192.168.2.7
Nov 24, 2024 02:14:41.392498016 CET	49809	443	192.168.2.7	151.101.129.91
Nov 24, 2024 02:14:41.392538071 CET	443	49809	151.101.129.91	192.168.2.7
Nov 24, 2024 02:14:41.392880917 CET	49809	443	192.168.2.7	151.101.129.91
Nov 24, 2024 02:14:41.393018007 CET	49809	443	192.168.2.7	151.101.129.91
Nov 24, 2024 02:14:41.393030882 CET	443	49809	151.101.129.91	192.168.2.7
Nov 24, 2024 02:14:42.404071093 CET	443	49805	35.244.181.201	192.168.2.7
Nov 24, 2024 02:14:42.404220104 CET	49805	443	192.168.2.7	35.244.181.201
Nov 24, 2024 02:14:42.407216072 CET	49805	443	192.168.2.7	35.244.181.201
Nov 24, 2024 02:14:42.407224894 CET	443	49805	35.244.181.201	192.168.2.7
Nov 24, 2024 02:14:42.407696009 CET	443	49805	35.244.181.201	192.168.2.7
Nov 24, 2024 02:14:42.409858942 CET	49805	443	192.168.2.7	35.244.181.201
Nov 24, 2024 02:14:42.409941912 CET	49805	443	192.168.2.7	35.244.181.201
Nov 24, 2024 02:14:42.410044909 CET	443	49805	35.244.181.201	192.168.2.7
Nov 24, 2024 02:14:42.410186052 CET	49805	443	192.168.2.7	35.244.181.201
Nov 24, 2024 02:14:42.414433002 CET	49721	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:14:42.427869081 CET	443	49807	35.190.72.216	192.168.2.7
Nov 24, 2024 02:14:42.427943945 CET	49807	443	192.168.2.7	35.190.72.216
Nov 24, 2024 02:14:42.432007074 CET	49807	443	192.168.2.7	35.190.72.216
Nov 24, 2024 02:14:42.432018042 CET	443	49807	35.190.72.216	192.168.2.7
Nov 24, 2024 02:14:42.432100058 CET	49807	443	192.168.2.7	35.190.72.216
Nov 24, 2024 02:14:42.432153940 CET	443	49807	35.190.72.216	192.168.2.7
Nov 24, 2024 02:14:42.432514906 CET	49807	443	192.168.2.7	35.190.72.216
Nov 24, 2024 02:14:42.467240095 CET	443	49806	34.149.100.209	192.168.2.7
Nov 24, 2024 02:14:42.467331886 CET	49806	443	192.168.2.7	34.149.100.209
Nov 24, 2024 02:14:42.470010996 CET	49806	443	192.168.2.7	34.149.100.209
Nov 24, 2024 02:14:42.470019102 CET	443	49806	34.149.100.209	192.168.2.7
Nov 24, 2024 02:14:42.470257998 CET	443	49806	34.149.100.209	192.168.2.7
Nov 24, 2024 02:14:42.472306013 CET	49806	443	192.168.2.7	34.149.100.209
Nov 24, 2024 02:14:42.472374916 CET	49806	443	192.168.2.7	34.149.100.209
Nov 24, 2024 02:14:42.472466946 CET	443	49806	34.149.100.209	192.168.2.7
Nov 24, 2024 02:14:42.473860979 CET	49806	443	192.168.2.7	34.149.100.209
Nov 24, 2024 02:14:42.531745911 CET	443	49808	35.201.103.21	192.168.2.7
Nov 24, 2024 02:14:42.531815052 CET	49808	443	192.168.2.7	35.201.103.21
Nov 24, 2024 02:14:42.533927917 CET	80	49721	34.107.221.82	192.168.2.7
Nov 24, 2024 02:14:42.535819054 CET	49808	443	192.168.2.7	35.201.103.21
Nov 24, 2024 02:14:42.535829067 CET	443	49808	35.201.103.21	192.168.2.7
Nov 24, 2024 02:14:42.535917044 CET	49808	443	192.168.2.7	35.201.103.21
Nov 24, 2024 02:14:42.535989046 CET	443	49808	35.201.103.21	192.168.2.7
Nov 24, 2024 02:14:42.536629915 CET	49808	443	192.168.2.7	35.201.103.21
Nov 24, 2024 02:14:42.540174961 CET	49815	443	192.168.2.7	34.149.100.209
Nov 24, 2024 02:14:42.540208101 CET	443	49815	34.149.100.209	192.168.2.7
Nov 24, 2024 02:14:42.540337086 CET	49815	443	192.168.2.7	34.149.100.209
Nov 24, 2024 02:14:42.540472031 CET	49815	443	192.168.2.7	34.149.100.209
Nov 24, 2024 02:14:42.540481091 CET	443	49815	34.149.100.209	192.168.2.7
Nov 24, 2024 02:14:42.654689074 CET	443	49809	151.101.129.91	192.168.2.7
Nov 24, 2024 02:14:42.654804945 CET	49809	443	192.168.2.7	151.101.129.91
Nov 24, 2024 02:14:42.657769918 CET	49809	443	192.168.2.7	151.101.129.91
Nov 24, 2024 02:14:42.657779932 CET	443	49809	151.101.129.91	192.168.2.7
Nov 24, 2024 02:14:42.658013105 CET	443	49809	151.101.129.91	192.168.2.7
Nov 24, 2024 02:14:42.660115957 CET	49809	443	192.168.2.7	151.101.129.91
Nov 24, 2024 02:14:42.660192013 CET	49809	443	192.168.2.7	151.101.129.91
Nov 24, 2024 02:14:42.660276890 CET	443	49809	151.101.129.91	192.168.2.7
Nov 24, 2024 02:14:42.666363955 CET	49809	443	192.168.2.7	151.101.129.91
Nov 24, 2024 02:14:42.667666912 CET	49816	443	192.168.2.7	35.244.181.201
Nov 24, 2024 02:14:42.667697906 CET	443	49816	35.244.181.201	192.168.2.7
Nov 24, 2024 02:14:42.668484926 CET	49816	443	192.168.2.7	35.244.181.201
Nov 24, 2024 02:14:42.668596029 CET	49816	443	192.168.2.7	35.244.181.201
Nov 24, 2024 02:14:42.668611050 CET	443	49816	35.244.181.201	192.168.2.7
Nov 24, 2024 02:14:42.669718027 CET	49817	443	192.168.2.7	35.244.181.201
Nov 24, 2024 02:14:42.669753075 CET	443	49817	35.244.181.201	192.168.2.7
Nov 24, 2024 02:14:42.670114040 CET	49817	443	192.168.2.7	35.244.181.201
Nov 24, 2024 02:14:42.670356035 CET	49817	443	192.168.2.7	35.244.181.201
Nov 24, 2024 02:14:42.670372963 CET	443	49817	35.244.181.201	192.168.2.7
Nov 24, 2024 02:14:42.672589064 CET	49818	443	192.168.2.7	35.244.181.201
Nov 24, 2024 02:14:42.672597885 CET	443	49818	35.244.181.201	192.168.2.7
Nov 24, 2024 02:14:42.672844887 CET	49818	443	192.168.2.7	35.244.181.201
Nov 24, 2024 02:14:42.672960043 CET	49818	443	192.168.2.7	35.244.181.201
Nov 24, 2024 02:14:42.672971964 CET	443	49818	35.244.181.201	192.168.2.7
Nov 24, 2024 02:14:42.729008913 CET	80	49721	34.107.221.82	192.168.2.7
Nov 24, 2024 02:14:42.731631041 CET	49735	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:14:42.772559881 CET	49721	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:14:42.851084948 CET	80	49735	34.107.221.82	192.168.2.7
Nov 24, 2024 02:14:42.963901997 CET	49819	443	192.168.2.7	34.107.243.93
Nov 24, 2024 02:14:42.963932037 CET	443	49819	34.107.243.93	192.168.2.7
Nov 24, 2024 02:14:42.964025021 CET	49819	443	192.168.2.7	34.107.243.93
Nov 24, 2024 02:14:42.965409040 CET	49819	443	192.168.2.7	34.107.243.93
Nov 24, 2024 02:14:42.965424061 CET	443	49819	34.107.243.93	192.168.2.7
Nov 24, 2024 02:14:43.045762062 CET	80	49735	34.107.221.82	192.168.2.7
Nov 24, 2024 02:14:43.089040041 CET	49735	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:14:43.802256107 CET	443	49815	34.149.100.209	192.168.2.7
Nov 24, 2024 02:14:43.802346945 CET	49815	443	192.168.2.7	34.149.100.209
Nov 24, 2024 02:14:43.805267096 CET	49815	443	192.168.2.7	34.149.100.209
Nov 24, 2024 02:14:43.805279016 CET	443	49815	34.149.100.209	192.168.2.7
Nov 24, 2024 02:14:43.805593967 CET	443	49815	34.149.100.209	192.168.2.7
Nov 24, 2024 02:14:43.807749033 CET	49815	443	192.168.2.7	34.149.100.209
Nov 24, 2024 02:14:43.807852983 CET	49815	443	192.168.2.7	34.149.100.209
Nov 24, 2024 02:14:43.808010101 CET	443	49815	34.149.100.209	192.168.2.7
Nov 24, 2024 02:14:43.808132887 CET	49815	443	192.168.2.7	34.149.100.209
Nov 24, 2024 02:14:43.811183929 CET	49721	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:14:43.930684090 CET	80	49721	34.107.221.82	192.168.2.7
Nov 24, 2024 02:14:43.957528114 CET	443	49818	35.244.181.201	192.168.2.7
Nov 24, 2024 02:14:43.957727909 CET	49818	443	192.168.2.7	35.244.181.201
Nov 24, 2024 02:14:43.960263014 CET	49818	443	192.168.2.7	35.244.181.201
Nov 24, 2024 02:14:43.960273981 CET	443	49818	35.244.181.201	192.168.2.7
Nov 24, 2024 02:14:43.960513115 CET	443	49818	35.244.181.201	192.168.2.7
Nov 24, 2024 02:14:43.962584972 CET	49818	443	192.168.2.7	35.244.181.201
Nov 24, 2024 02:14:43.962670088 CET	49818	443	192.168.2.7	35.244.181.201
Nov 24, 2024 02:14:43.962723970 CET	443	49818	35.244.181.201	192.168.2.7
Nov 24, 2024 02:14:43.962789059 CET	49818	443	192.168.2.7	35.244.181.201
Nov 24, 2024 02:14:43.989312887 CET	443	49816	35.244.181.201	192.168.2.7
Nov 24, 2024 02:14:43.989546061 CET	443	49817	35.244.181.201	192.168.2.7
Nov 24, 2024 02:14:43.989686966 CET	49816	443	192.168.2.7	35.244.181.201
Nov 24, 2024 02:14:43.989697933 CET	49817	443	192.168.2.7	35.244.181.201
Nov 24, 2024 02:14:43.992506027 CET	49816	443	192.168.2.7	35.244.181.201
Nov 24, 2024 02:14:43.992511034 CET	443	49816	35.244.181.201	192.168.2.7
Nov 24, 2024 02:14:43.992749929 CET	443	49816	35.244.181.201	192.168.2.7
Nov 24, 2024 02:14:43.994867086 CET	49817	443	192.168.2.7	35.244.181.201
Nov 24, 2024 02:14:43.994875908 CET	443	49817	35.244.181.201	192.168.2.7
Nov 24, 2024 02:14:43.995110989 CET	443	49817	35.244.181.201	192.168.2.7
Nov 24, 2024 02:14:43.997889042 CET	49816	443	192.168.2.7	35.244.181.201
Nov 24, 2024 02:14:43.997983932 CET	49816	443	192.168.2.7	35.244.181.201
Nov 24, 2024 02:14:43.998023033 CET	443	49816	35.244.181.201	192.168.2.7
Nov 24, 2024 02:14:43.998228073 CET	49817	443	192.168.2.7	35.244.181.201
Nov 24, 2024 02:14:43.998274088 CET	49817	443	192.168.2.7	35.244.181.201
Nov 24, 2024 02:14:43.998356104 CET	443	49817	35.244.181.201	192.168.2.7
Nov 24, 2024 02:14:43.998398066 CET	49816	443	192.168.2.7	35.244.181.201
Nov 24, 2024 02:14:43.998420000 CET	49817	443	192.168.2.7	35.244.181.201
Nov 24, 2024 02:14:44.126060009 CET	80	49721	34.107.221.82	192.168.2.7
Nov 24, 2024 02:14:44.128376961 CET	49735	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:14:44.176568031 CET	49721	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:14:44.220400095 CET	443	49819	34.107.243.93	192.168.2.7
Nov 24, 2024 02:14:44.220473051 CET	49819	443	192.168.2.7	34.107.243.93
Nov 24, 2024 02:14:44.224905014 CET	49819	443	192.168.2.7	34.107.243.93
Nov 24, 2024 02:14:44.224912882 CET	443	49819	34.107.243.93	192.168.2.7
Nov 24, 2024 02:14:44.224989891 CET	49819	443	192.168.2.7	34.107.243.93
Nov 24, 2024 02:14:44.225055933 CET	443	49819	34.107.243.93	192.168.2.7
Nov 24, 2024 02:14:44.225157022 CET	49819	443	192.168.2.7	34.107.243.93
Nov 24, 2024 02:14:44.226980925 CET	49721	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:14:44.247844934 CET	80	49735	34.107.221.82	192.168.2.7
Nov 24, 2024 02:14:44.346400023 CET	80	49721	34.107.221.82	192.168.2.7
Nov 24, 2024 02:14:44.442715883 CET	80	49735	34.107.221.82	192.168.2.7
Nov 24, 2024 02:14:44.493073940 CET	49735	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:14:44.542031050 CET	80	49721	34.107.221.82	192.168.2.7
Nov 24, 2024 02:14:44.546871901 CET	49735	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:14:44.593452930 CET	49721	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:14:44.666348934 CET	80	49735	34.107.221.82	192.168.2.7
Nov 24, 2024 02:14:44.894639969 CET	80	49735	34.107.221.82	192.168.2.7
Nov 24, 2024 02:14:44.947634935 CET	49735	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:14:54.546405077 CET	49721	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:14:54.665870905 CET	80	49721	34.107.221.82	192.168.2.7
Nov 24, 2024 02:14:54.900715113 CET	49735	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:14:55.020260096 CET	80	49735	34.107.221.82	192.168.2.7
Nov 24, 2024 02:15:04.672645092 CET	49721	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:15:04.792136908 CET	80	49721	34.107.221.82	192.168.2.7
Nov 24, 2024 02:15:04.814388990 CET	49872	443	192.168.2.7	34.107.243.93
Nov 24, 2024 02:15:04.814425945 CET	443	49872	34.107.243.93	192.168.2.7
Nov 24, 2024 02:15:04.814902067 CET	49872	443	192.168.2.7	34.107.243.93
Nov 24, 2024 02:15:04.816890955 CET	49872	443	192.168.2.7	34.107.243.93
Nov 24, 2024 02:15:04.816904068 CET	443	49872	34.107.243.93	192.168.2.7
Nov 24, 2024 02:15:05.020286083 CET	49735	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:15:05.139945030 CET	80	49735	34.107.221.82	192.168.2.7
Nov 24, 2024 02:15:06.078071117 CET	443	49872	34.107.243.93	192.168.2.7
Nov 24, 2024 02:15:06.078161955 CET	49872	443	192.168.2.7	34.107.243.93
Nov 24, 2024 02:15:06.083359957 CET	49872	443	192.168.2.7	34.107.243.93
Nov 24, 2024 02:15:06.083370924 CET	443	49872	34.107.243.93	192.168.2.7
Nov 24, 2024 02:15:06.083473921 CET	49872	443	192.168.2.7	34.107.243.93
Nov 24, 2024 02:15:06.083525896 CET	443	49872	34.107.243.93	192.168.2.7
Nov 24, 2024 02:15:06.084274054 CET	49872	443	192.168.2.7	34.107.243.93
Nov 24, 2024 02:15:06.086443901 CET	49721	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:15:06.205970049 CET	80	49721	34.107.221.82	192.168.2.7
Nov 24, 2024 02:15:06.400902987 CET	80	49721	34.107.221.82	192.168.2.7
Nov 24, 2024 02:15:06.404078007 CET	49735	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:15:06.455414057 CET	49721	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:15:06.523510933 CET	80	49735	34.107.221.82	192.168.2.7
Nov 24, 2024 02:15:06.718234062 CET	80	49735	34.107.221.82	192.168.2.7
Nov 24, 2024 02:15:06.778009892 CET	49735	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:15:10.958733082 CET	49885	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:15:10.958784103 CET	443	49885	34.120.208.123	192.168.2.7
Nov 24, 2024 02:15:10.968558073 CET	49885	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:15:10.968754053 CET	49885	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:15:10.968777895 CET	443	49885	34.120.208.123	192.168.2.7
Nov 24, 2024 02:15:10.969624043 CET	49886	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:15:10.969667912 CET	443	49886	34.120.208.123	192.168.2.7
Nov 24, 2024 02:15:10.970063925 CET	49887	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:15:10.970087051 CET	443	49887	34.120.208.123	192.168.2.7
Nov 24, 2024 02:15:10.970223904 CET	49888	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:15:10.970266104 CET	443	49888	34.120.208.123	192.168.2.7
Nov 24, 2024 02:15:10.970365047 CET	49889	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:15:10.970398903 CET	443	49889	34.120.208.123	192.168.2.7
Nov 24, 2024 02:15:10.970503092 CET	49890	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:15:10.970511913 CET	443	49890	34.120.208.123	192.168.2.7
Nov 24, 2024 02:15:10.970719099 CET	49886	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:15:10.970730066 CET	49887	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:15:10.970731020 CET	49888	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:15:10.970741034 CET	49889	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:15:10.970751047 CET	49890	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:15:10.970905066 CET	49886	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:15:10.970920086 CET	443	49886	34.120.208.123	192.168.2.7
Nov 24, 2024 02:15:10.971055031 CET	49890	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:15:10.971067905 CET	443	49890	34.120.208.123	192.168.2.7
Nov 24, 2024 02:15:10.971215010 CET	49889	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:15:10.971229076 CET	443	49889	34.120.208.123	192.168.2.7
Nov 24, 2024 02:15:10.971266031 CET	49888	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:15:10.971275091 CET	443	49888	34.120.208.123	192.168.2.7
Nov 24, 2024 02:15:10.971343040 CET	49887	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:15:10.971360922 CET	443	49887	34.120.208.123	192.168.2.7
Nov 24, 2024 02:15:12.227798939 CET	443	49889	34.120.208.123	192.168.2.7
Nov 24, 2024 02:15:12.228749990 CET	49889	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:15:12.229201078 CET	443	49888	34.120.208.123	192.168.2.7
Nov 24, 2024 02:15:12.230631113 CET	443	49887	34.120.208.123	192.168.2.7
Nov 24, 2024 02:15:12.232572079 CET	49889	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:15:12.232590914 CET	443	49889	34.120.208.123	192.168.2.7
Nov 24, 2024 02:15:12.232846022 CET	443	49889	34.120.208.123	192.168.2.7
Nov 24, 2024 02:15:12.234419107 CET	443	49885	34.120.208.123	192.168.2.7
Nov 24, 2024 02:15:12.234436989 CET	443	49885	34.120.208.123	192.168.2.7
Nov 24, 2024 02:15:12.234810114 CET	443	49886	34.120.208.123	192.168.2.7
Nov 24, 2024 02:15:12.235095978 CET	443	49890	34.120.208.123	192.168.2.7
Nov 24, 2024 02:15:12.235338926 CET	443	49888	34.120.208.123	192.168.2.7
Nov 24, 2024 02:15:12.235341072 CET	443	49887	34.120.208.123	192.168.2.7
Nov 24, 2024 02:15:12.235482931 CET	49889	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:15:12.235589027 CET	49889	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:15:12.235865116 CET	443	49889	34.120.208.123	192.168.2.7
Nov 24, 2024 02:15:12.236063957 CET	49894	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:15:12.236099005 CET	443	49894	34.120.208.123	192.168.2.7
Nov 24, 2024 02:15:12.239336967 CET	443	49890	34.120.208.123	192.168.2.7
Nov 24, 2024 02:15:12.241566896 CET	49889	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:15:12.241581917 CET	49888	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:15:12.241729975 CET	49887	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:15:12.247337103 CET	443	49886	34.120.208.123	192.168.2.7
Nov 24, 2024 02:15:12.251769066 CET	49887	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:15:12.251790047 CET	443	49887	34.120.208.123	192.168.2.7
Nov 24, 2024 02:15:12.252640009 CET	443	49887	34.120.208.123	192.168.2.7
Nov 24, 2024 02:15:12.254137039 CET	49888	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:15:12.254148006 CET	443	49888	34.120.208.123	192.168.2.7
Nov 24, 2024 02:15:12.255167007 CET	443	49888	34.120.208.123	192.168.2.7
Nov 24, 2024 02:15:12.257170916 CET	49887	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:15:12.257191896 CET	49885	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:15:12.257193089 CET	49888	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:15:12.259382963 CET	49890	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:15:12.259391069 CET	49886	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:15:12.259684086 CET	49885	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:15:12.259710073 CET	443	49885	34.120.208.123	192.168.2.7
Nov 24, 2024 02:15:12.259844065 CET	49889	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:15:12.259874105 CET	49890	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:15:12.259906054 CET	49886	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:15:12.259939909 CET	49894	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:15:12.260720968 CET	443	49885	34.120.208.123	192.168.2.7
Nov 24, 2024 02:15:12.262034893 CET	49886	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:15:12.262042046 CET	443	49886	34.120.208.123	192.168.2.7
Nov 24, 2024 02:15:12.262794018 CET	443	49886	34.120.208.123	192.168.2.7
Nov 24, 2024 02:15:12.264247894 CET	49890	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:15:12.264251947 CET	443	49890	34.120.208.123	192.168.2.7
Nov 24, 2024 02:15:12.264297009 CET	49888	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:15:12.264308929 CET	49887	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:15:12.264472961 CET	443	49888	34.120.208.123	192.168.2.7
Nov 24, 2024 02:15:12.264534950 CET	443	49890	34.120.208.123	192.168.2.7
Nov 24, 2024 02:15:12.264775991 CET	443	49887	34.120.208.123	192.168.2.7
Nov 24, 2024 02:15:12.264879942 CET	49888	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:15:12.264940023 CET	49887	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:15:12.265634060 CET	49894	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:15:12.265645981 CET	443	49894	34.120.208.123	192.168.2.7
Nov 24, 2024 02:15:12.265913963 CET	49895	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:15:12.265957117 CET	443	49895	34.120.208.123	192.168.2.7
Nov 24, 2024 02:15:12.269371986 CET	49885	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:15:12.269448996 CET	49885	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:15:12.269649029 CET	443	49885	34.120.208.123	192.168.2.7
Nov 24, 2024 02:15:12.269694090 CET	49886	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:15:12.269747019 CET	49886	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:15:12.270072937 CET	443	49886	34.120.208.123	192.168.2.7
Nov 24, 2024 02:15:12.270180941 CET	49890	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:15:12.270216942 CET	49890	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:15:12.270328045 CET	443	49890	34.120.208.123	192.168.2.7
Nov 24, 2024 02:15:12.270962000 CET	49886	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:15:12.270970106 CET	49888	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:15:12.270979881 CET	49890	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:15:12.271038055 CET	49887	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:15:12.271039009 CET	49885	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:15:12.271061897 CET	49895	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:15:12.271295071 CET	49895	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:15:12.271318913 CET	443	49895	34.120.208.123	192.168.2.7
Nov 24, 2024 02:15:12.271383047 CET	49886	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:15:12.271534920 CET	49890	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:15:12.272221088 CET	49721	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:15:12.391715050 CET	80	49721	34.107.221.82	192.168.2.7
Nov 24, 2024 02:15:12.586750031 CET	80	49721	34.107.221.82	192.168.2.7
Nov 24, 2024 02:15:12.603538990 CET	49735	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:15:12.642673016 CET	49721	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:15:12.723061085 CET	80	49735	34.107.221.82	192.168.2.7
Nov 24, 2024 02:15:12.918411970 CET	80	49735	34.107.221.82	192.168.2.7
Nov 24, 2024 02:15:12.958794117 CET	49735	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:15:13.485390902 CET	443	49895	34.120.208.123	192.168.2.7
Nov 24, 2024 02:15:13.485498905 CET	49895	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:15:13.490022898 CET	49895	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:15:13.490042925 CET	443	49895	34.120.208.123	192.168.2.7
Nov 24, 2024 02:15:13.490377903 CET	443	49895	34.120.208.123	192.168.2.7
Nov 24, 2024 02:15:13.493537903 CET	49895	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:15:13.493684053 CET	49895	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:15:13.493825912 CET	443	49895	34.120.208.123	192.168.2.7
Nov 24, 2024 02:15:13.494640112 CET	49895	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:15:13.496946096 CET	49721	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:15:13.522111893 CET	443	49894	34.120.208.123	192.168.2.7
Nov 24, 2024 02:15:13.522131920 CET	443	49894	34.120.208.123	192.168.2.7
Nov 24, 2024 02:15:13.529407978 CET	49894	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:15:13.533355951 CET	49894	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:15:13.533370018 CET	443	49894	34.120.208.123	192.168.2.7
Nov 24, 2024 02:15:13.533699036 CET	443	49894	34.120.208.123	192.168.2.7
Nov 24, 2024 02:15:13.536289930 CET	49894	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:15:13.536422014 CET	49894	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:15:13.536468029 CET	443	49894	34.120.208.123	192.168.2.7
Nov 24, 2024 02:15:13.541902065 CET	49894	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:15:13.541902065 CET	49894	443	192.168.2.7	34.120.208.123
Nov 24, 2024 02:15:13.616507053 CET	80	49721	34.107.221.82	192.168.2.7
Nov 24, 2024 02:15:13.811434031 CET	80	49721	34.107.221.82	192.168.2.7
Nov 24, 2024 02:15:13.819508076 CET	49735	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:15:13.861536980 CET	49721	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:15:13.939116955 CET	80	49735	34.107.221.82	192.168.2.7
Nov 24, 2024 02:15:14.140221119 CET	80	49735	34.107.221.82	192.168.2.7
Nov 24, 2024 02:15:14.200228930 CET	49735	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:15:23.821553946 CET	49721	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:15:23.941011906 CET	80	49721	34.107.221.82	192.168.2.7
Nov 24, 2024 02:15:24.160363913 CET	49735	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:15:24.279864073 CET	80	49735	34.107.221.82	192.168.2.7
Nov 24, 2024 02:15:33.950923920 CET	49721	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:15:34.070514917 CET	80	49721	34.107.221.82	192.168.2.7
Nov 24, 2024 02:15:34.289519072 CET	49735	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:15:34.409039974 CET	80	49735	34.107.221.82	192.168.2.7
Nov 24, 2024 02:15:44.079884052 CET	49721	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:15:44.199285984 CET	80	49721	34.107.221.82	192.168.2.7
Nov 24, 2024 02:15:44.418548107 CET	49735	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:15:44.537950993 CET	80	49735	34.107.221.82	192.168.2.7
Nov 24, 2024 02:15:46.303975105 CET	49972	443	192.168.2.7	34.107.243.93
Nov 24, 2024 02:15:46.304027081 CET	443	49972	34.107.243.93	192.168.2.7
Nov 24, 2024 02:15:46.322137117 CET	49972	443	192.168.2.7	34.107.243.93
Nov 24, 2024 02:15:46.323575020 CET	49972	443	192.168.2.7	34.107.243.93
Nov 24, 2024 02:15:46.323596001 CET	443	49972	34.107.243.93	192.168.2.7
Nov 24, 2024 02:15:47.633953094 CET	443	49972	34.107.243.93	192.168.2.7
Nov 24, 2024 02:15:47.633970976 CET	443	49972	34.107.243.93	192.168.2.7
Nov 24, 2024 02:15:47.634171963 CET	49972	443	192.168.2.7	34.107.243.93
Nov 24, 2024 02:15:47.641530037 CET	49972	443	192.168.2.7	34.107.243.93
Nov 24, 2024 02:15:47.641542912 CET	443	49972	34.107.243.93	192.168.2.7
Nov 24, 2024 02:15:47.641663074 CET	49972	443	192.168.2.7	34.107.243.93
Nov 24, 2024 02:15:47.641804934 CET	443	49972	34.107.243.93	192.168.2.7
Nov 24, 2024 02:15:47.642694950 CET	49972	443	192.168.2.7	34.107.243.93
Nov 24, 2024 02:15:47.644814968 CET	49721	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:15:47.764205933 CET	80	49721	34.107.221.82	192.168.2.7
Nov 24, 2024 02:15:47.959620953 CET	80	49721	34.107.221.82	192.168.2.7
Nov 24, 2024 02:15:47.964198112 CET	49735	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:15:48.007035971 CET	49721	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:15:48.083755016 CET	80	49735	34.107.221.82	192.168.2.7
Nov 24, 2024 02:15:48.278301001 CET	80	49735	34.107.221.82	192.168.2.7
Nov 24, 2024 02:15:48.329883099 CET	49735	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:15:57.969511986 CET	49721	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:15:58.090430021 CET	80	49721	34.107.221.82	192.168.2.7
Nov 24, 2024 02:15:58.286024094 CET	49735	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:15:58.405486107 CET	80	49735	34.107.221.82	192.168.2.7
Nov 24, 2024 02:16:08.113363981 CET	49721	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:16:08.232887983 CET	80	49721	34.107.221.82	192.168.2.7
Nov 24, 2024 02:16:08.415940046 CET	49735	80	192.168.2.7	34.107.221.82
Nov 24, 2024 02:16:08.535320997 CET	80	49735	34.107.221.82	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 24, 2024 02:14:13.800239086 CET	58274	53	192.168.2.7	1.1.1.1
Nov 24, 2024 02:14:14.375045061 CET	53	58274	1.1.1.1	192.168.2.7
Nov 24, 2024 02:14:14.465764046 CET	51262	53	192.168.2.7	1.1.1.1
Nov 24, 2024 02:14:14.599011898 CET	55096	53	192.168.2.7	1.1.1.1
Nov 24, 2024 02:14:14.719917059 CET	53	51262	1.1.1.1	192.168.2.7
Nov 24, 2024 02:14:14.736180067 CET	53	55096	1.1.1.1	192.168.2.7
Nov 24, 2024 02:14:14.737123966 CET	52315	53	192.168.2.7	1.1.1.1
Nov 24, 2024 02:14:14.874614000 CET	53	52315	1.1.1.1	192.168.2.7
Nov 24, 2024 02:14:14.875379086 CET	63080	53	192.168.2.7	1.1.1.1
Nov 24, 2024 02:14:14.917201042 CET	55894	53	192.168.2.7	1.1.1.1
Nov 24, 2024 02:14:15.016329050 CET	53	63080	1.1.1.1	192.168.2.7
Nov 24, 2024 02:14:15.057362080 CET	53165	53	192.168.2.7	1.1.1.1
Nov 24, 2024 02:14:15.195559025 CET	53	53165	1.1.1.1	192.168.2.7
Nov 24, 2024 02:14:15.199418068 CET	62239	53	192.168.2.7	1.1.1.1
Nov 24, 2024 02:14:15.293781042 CET	56935	53	192.168.2.7	1.1.1.1
Nov 24, 2024 02:14:15.336793900 CET	53	62239	1.1.1.1	192.168.2.7
Nov 24, 2024 02:14:15.430706024 CET	53	56935	1.1.1.1	192.168.2.7
Nov 24, 2024 02:14:15.640590906 CET	57728	53	192.168.2.7	1.1.1.1
Nov 24, 2024 02:14:15.665807962 CET	57164	53	192.168.2.7	1.1.1.1
Nov 24, 2024 02:14:15.681148052 CET	62101	53	192.168.2.7	1.1.1.1
Nov 24, 2024 02:14:15.777484894 CET	53	57728	1.1.1.1	192.168.2.7
Nov 24, 2024 02:14:15.778076887 CET	55689	53	192.168.2.7	1.1.1.1
Nov 24, 2024 02:14:15.803550959 CET	53	57164	1.1.1.1	192.168.2.7
Nov 24, 2024 02:14:15.804445028 CET	55012	53	192.168.2.7	1.1.1.1
Nov 24, 2024 02:14:15.805325031 CET	59816	53	192.168.2.7	1.1.1.1
Nov 24, 2024 02:14:15.818615913 CET	53	62101	1.1.1.1	192.168.2.7
Nov 24, 2024 02:14:15.917109966 CET	53	55689	1.1.1.1	192.168.2.7
Nov 24, 2024 02:14:15.917898893 CET	49441	53	192.168.2.7	1.1.1.1
Nov 24, 2024 02:14:16.032932043 CET	53	59816	1.1.1.1	192.168.2.7
Nov 24, 2024 02:14:16.036138058 CET	53	55012	1.1.1.1	192.168.2.7
Nov 24, 2024 02:14:16.048378944 CET	65250	53	192.168.2.7	1.1.1.1
Nov 24, 2024 02:14:16.054153919 CET	58062	53	192.168.2.7	1.1.1.1
Nov 24, 2024 02:14:16.186029911 CET	53	65250	1.1.1.1	192.168.2.7
Nov 24, 2024 02:14:16.191921949 CET	53	58062	1.1.1.1	192.168.2.7
Nov 24, 2024 02:14:16.254204035 CET	53	49441	1.1.1.1	192.168.2.7
Nov 24, 2024 02:14:16.254863024 CET	50096	53	192.168.2.7	1.1.1.1
Nov 24, 2024 02:14:16.366202116 CET	60159	53	192.168.2.7	1.1.1.1
Nov 24, 2024 02:14:16.366709948 CET	56595	53	192.168.2.7	1.1.1.1
Nov 24, 2024 02:14:16.408365965 CET	56149	53	192.168.2.7	1.1.1.1
Nov 24, 2024 02:14:16.503412008 CET	53	60159	1.1.1.1	192.168.2.7
Nov 24, 2024 02:14:16.503475904 CET	53	56595	1.1.1.1	192.168.2.7
Nov 24, 2024 02:14:16.505217075 CET	53	50096	1.1.1.1	192.168.2.7
Nov 24, 2024 02:14:17.107994080 CET	57336	53	192.168.2.7	1.1.1.1
Nov 24, 2024 02:14:18.041754961 CET	53	61686	1.1.1.1	192.168.2.7
Nov 24, 2024 02:14:20.309672117 CET	59888	53	192.168.2.7	1.1.1.1
Nov 24, 2024 02:14:20.446949005 CET	53	59888	1.1.1.1	192.168.2.7
Nov 24, 2024 02:14:20.447603941 CET	52085	53	192.168.2.7	1.1.1.1
Nov 24, 2024 02:14:20.564482927 CET	61224	53	192.168.2.7	1.1.1.1
Nov 24, 2024 02:14:20.585781097 CET	53	52085	1.1.1.1	192.168.2.7
Nov 24, 2024 02:14:20.586357117 CET	65462	53	192.168.2.7	1.1.1.1
Nov 24, 2024 02:14:20.701525927 CET	53	61224	1.1.1.1	192.168.2.7
Nov 24, 2024 02:14:20.702574015 CET	64717	53	192.168.2.7	1.1.1.1
Nov 24, 2024 02:14:20.723771095 CET	53	65462	1.1.1.1	192.168.2.7
Nov 24, 2024 02:14:20.839528084 CET	53	64717	1.1.1.1	192.168.2.7
Nov 24, 2024 02:14:20.840023041 CET	61684	53	192.168.2.7	1.1.1.1
Nov 24, 2024 02:14:20.976973057 CET	53	61684	1.1.1.1	192.168.2.7
Nov 24, 2024 02:14:24.660388947 CET	54719	53	192.168.2.7	1.1.1.1
Nov 24, 2024 02:14:24.797277927 CET	53	54719	1.1.1.1	192.168.2.7
Nov 24, 2024 02:14:24.867682934 CET	60355	53	192.168.2.7	1.1.1.1
Nov 24, 2024 02:14:24.998995066 CET	59243	53	192.168.2.7	1.1.1.1
Nov 24, 2024 02:14:25.004657984 CET	53	60355	1.1.1.1	192.168.2.7
Nov 24, 2024 02:14:25.005225897 CET	55696	53	192.168.2.7	1.1.1.1
Nov 24, 2024 02:14:25.135700941 CET	53	59243	1.1.1.1	192.168.2.7
Nov 24, 2024 02:14:25.142610073 CET	62548	53	192.168.2.7	1.1.1.1
Nov 24, 2024 02:14:25.255568027 CET	53	55696	1.1.1.1	192.168.2.7
Nov 24, 2024 02:14:25.279690981 CET	53	62548	1.1.1.1	192.168.2.7
Nov 24, 2024 02:14:25.280550957 CET	54331	53	192.168.2.7	1.1.1.1
Nov 24, 2024 02:14:25.417676926 CET	53	54331	1.1.1.1	192.168.2.7
Nov 24, 2024 02:14:30.809137106 CET	64397	53	192.168.2.7	1.1.1.1
Nov 24, 2024 02:14:30.946486950 CET	53	64397	1.1.1.1	192.168.2.7
Nov 24, 2024 02:14:31.141299009 CET	51974	53	192.168.2.7	1.1.1.1
Nov 24, 2024 02:14:31.141345978 CET	56848	53	192.168.2.7	1.1.1.1
Nov 24, 2024 02:14:31.141716003 CET	54702	53	192.168.2.7	1.1.1.1
Nov 24, 2024 02:14:31.278280020 CET	53	51974	1.1.1.1	192.168.2.7
Nov 24, 2024 02:14:31.278537989 CET	53	56848	1.1.1.1	192.168.2.7
Nov 24, 2024 02:14:31.278906107 CET	53	54702	1.1.1.1	192.168.2.7
Nov 24, 2024 02:14:31.279167891 CET	61245	53	192.168.2.7	1.1.1.1
Nov 24, 2024 02:14:31.279567003 CET	49324	53	192.168.2.7	1.1.1.1
Nov 24, 2024 02:14:31.282397985 CET	63684	53	192.168.2.7	1.1.1.1
Nov 24, 2024 02:14:31.416925907 CET	53	49324	1.1.1.1	192.168.2.7
Nov 24, 2024 02:14:31.417396069 CET	53	61245	1.1.1.1	192.168.2.7
Nov 24, 2024 02:14:31.417661905 CET	50682	53	192.168.2.7	1.1.1.1
Nov 24, 2024 02:14:31.418154001 CET	54246	53	192.168.2.7	1.1.1.1
Nov 24, 2024 02:14:31.419208050 CET	53	63684	1.1.1.1	192.168.2.7
Nov 24, 2024 02:14:31.419742107 CET	65016	53	192.168.2.7	1.1.1.1
Nov 24, 2024 02:14:31.554754019 CET	53	50682	1.1.1.1	192.168.2.7
Nov 24, 2024 02:14:31.555414915 CET	58460	53	192.168.2.7	1.1.1.1
Nov 24, 2024 02:14:31.555741072 CET	53	54246	1.1.1.1	192.168.2.7
Nov 24, 2024 02:14:31.556380033 CET	53	65016	1.1.1.1	192.168.2.7
Nov 24, 2024 02:14:31.556936026 CET	61181	53	192.168.2.7	1.1.1.1
Nov 24, 2024 02:14:31.689809084 CET	52374	53	192.168.2.7	1.1.1.1
Nov 24, 2024 02:14:31.692313910 CET	53	58460	1.1.1.1	192.168.2.7
Nov 24, 2024 02:14:31.693645000 CET	53	61181	1.1.1.1	192.168.2.7
Nov 24, 2024 02:14:31.694722891 CET	60885	53	192.168.2.7	1.1.1.1
Nov 24, 2024 02:14:31.694787979 CET	62713	53	192.168.2.7	1.1.1.1
Nov 24, 2024 02:14:31.826555967 CET	53	52374	1.1.1.1	192.168.2.7
Nov 24, 2024 02:14:31.831720114 CET	53	62713	1.1.1.1	192.168.2.7
Nov 24, 2024 02:14:31.832456112 CET	53	60885	1.1.1.1	192.168.2.7
Nov 24, 2024 02:14:31.832473993 CET	54026	53	192.168.2.7	1.1.1.1
Nov 24, 2024 02:14:31.832856894 CET	62411	53	192.168.2.7	1.1.1.1
Nov 24, 2024 02:14:31.970031023 CET	53	54026	1.1.1.1	192.168.2.7
Nov 24, 2024 02:14:31.970508099 CET	53	62411	1.1.1.1	192.168.2.7
Nov 24, 2024 02:14:41.138362885 CET	55630	53	192.168.2.7	1.1.1.1
Nov 24, 2024 02:14:41.158413887 CET	63531	53	192.168.2.7	1.1.1.1
Nov 24, 2024 02:14:41.170640945 CET	64153	53	192.168.2.7	1.1.1.1
Nov 24, 2024 02:14:41.275755882 CET	53	55630	1.1.1.1	192.168.2.7
Nov 24, 2024 02:14:41.307936907 CET	53	64153	1.1.1.1	192.168.2.7
Nov 24, 2024 02:14:41.309401989 CET	63248	53	192.168.2.7	1.1.1.1
Nov 24, 2024 02:14:41.391467094 CET	53	63531	1.1.1.1	192.168.2.7
Nov 24, 2024 02:14:41.392766953 CET	50444	53	192.168.2.7	1.1.1.1
Nov 24, 2024 02:14:41.447170019 CET	53	63248	1.1.1.1	192.168.2.7
Nov 24, 2024 02:14:41.447860956 CET	53805	53	192.168.2.7	1.1.1.1
Nov 24, 2024 02:14:41.530162096 CET	53	50444	1.1.1.1	192.168.2.7
Nov 24, 2024 02:14:41.530844927 CET	57273	53	192.168.2.7	1.1.1.1
Nov 24, 2024 02:14:41.585280895 CET	53	53805	1.1.1.1	192.168.2.7
Nov 24, 2024 02:14:41.760639906 CET	53	57273	1.1.1.1	192.168.2.7
Nov 24, 2024 02:14:42.963844061 CET	51459	53	192.168.2.7	1.1.1.1
Nov 24, 2024 02:14:43.100615025 CET	53	51459	1.1.1.1	192.168.2.7
Nov 24, 2024 02:15:04.675599098 CET	56052	53	192.168.2.7	1.1.1.1
Nov 24, 2024 02:15:04.813195944 CET	53	56052	1.1.1.1	192.168.2.7
Nov 24, 2024 02:15:04.814650059 CET	50957	53	192.168.2.7	1.1.1.1
Nov 24, 2024 02:15:04.952258110 CET	53	50957	1.1.1.1	192.168.2.7
Nov 24, 2024 02:15:10.959124088 CET	52831	53	192.168.2.7	1.1.1.1
Nov 24, 2024 02:15:11.096585035 CET	53	52831	1.1.1.1	192.168.2.7
Nov 24, 2024 02:15:12.272526979 CET	57917	53	192.168.2.7	1.1.1.1
Nov 24, 2024 02:15:46.164668083 CET	52582	53	192.168.2.7	1.1.1.1
Nov 24, 2024 02:15:46.301661015 CET	53	52582	1.1.1.1	192.168.2.7
Nov 24, 2024 02:15:46.304616928 CET	58657	53	192.168.2.7	1.1.1.1
Nov 24, 2024 02:15:46.441638947 CET	53	58657	1.1.1.1	192.168.2.7
Nov 24, 2024 02:15:47.645097017 CET	64554	53	192.168.2.7	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 24, 2024 02:14:13.800239086 CET	192.168.2.7	1.1.1.1	0xb21c	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:14.465764046 CET	192.168.2.7	1.1.1.1	0x3c27	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 24, 2024 02:14:14.599011898 CET	192.168.2.7	1.1.1.1	0x6713	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:14.737123966 CET	192.168.2.7	1.1.1.1	0x34e8	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:14.875379086 CET	192.168.2.7	1.1.1.1	0x74a5	Standard query (0)	youtube.com	28	IN (0x0001)	false
Nov 24, 2024 02:14:14.917201042 CET	192.168.2.7	1.1.1.1	0x1fa8	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:15.057362080 CET	192.168.2.7	1.1.1.1	0x42af	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:15.199418068 CET	192.168.2.7	1.1.1.1	0xa21	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 24, 2024 02:14:15.293781042 CET	192.168.2.7	1.1.1.1	0x77a0	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:15.640590906 CET	192.168.2.7	1.1.1.1	0xd579	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:15.665807962 CET	192.168.2.7	1.1.1.1	0xe0c	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:15.681148052 CET	192.168.2.7	1.1.1.1	0xa778	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:15.778076887 CET	192.168.2.7	1.1.1.1	0x75c2	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 02:14:15.804445028 CET	192.168.2.7	1.1.1.1	0x7c5f	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:15.805325031 CET	192.168.2.7	1.1.1.1	0x4804	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:15.917898893 CET	192.168.2.7	1.1.1.1	0x2615	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:16.048378944 CET	192.168.2.7	1.1.1.1	0x15bc	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 24, 2024 02:14:16.054153919 CET	192.168.2.7	1.1.1.1	0x65c5	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 24, 2024 02:14:16.254863024 CET	192.168.2.7	1.1.1.1	0xa42e	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 24, 2024 02:14:16.366202116 CET	192.168.2.7	1.1.1.1	0x87f8	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:16.366709948 CET	192.168.2.7	1.1.1.1	0x2aaa	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:16.408365965 CET	192.168.2.7	1.1.1.1	0xaaa1	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:17.107994080 CET	192.168.2.7	1.1.1.1	0x817f	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:20.309672117 CET	192.168.2.7	1.1.1.1	0xa34e	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:20.447603941 CET	192.168.2.7	1.1.1.1	0x2c3e	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:20.564482927 CET	192.168.2.7	1.1.1.1	0x12ca	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:20.586357117 CET	192.168.2.7	1.1.1.1	0xe458	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 24, 2024 02:14:20.702574015 CET	192.168.2.7	1.1.1.1	0x95f0	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:20.840023041 CET	192.168.2.7	1.1.1.1	0xe266	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 02:14:24.660388947 CET	192.168.2.7	1.1.1.1	0xf4de	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 24, 2024 02:14:24.867682934 CET	192.168.2.7	1.1.1.1	0x4a7c	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:24.998995066 CET	192.168.2.7	1.1.1.1	0x4075	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:25.005225897 CET	192.168.2.7	1.1.1.1	0x1771	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 02:14:25.142610073 CET	192.168.2.7	1.1.1.1	0x7773	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:25.280550957 CET	192.168.2.7	1.1.1.1	0xdf36	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 24, 2024 02:14:30.809137106 CET	192.168.2.7	1.1.1.1	0xd925	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 02:14:31.141299009 CET	192.168.2.7	1.1.1.1	0xac87	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:31.141345978 CET	192.168.2.7	1.1.1.1	0xf8cf	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:31.141716003 CET	192.168.2.7	1.1.1.1	0xcaa8	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:31.279167891 CET	192.168.2.7	1.1.1.1	0x87e4	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:31.279567003 CET	192.168.2.7	1.1.1.1	0x618f	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:31.282397985 CET	192.168.2.7	1.1.1.1	0x54d9	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:31.417661905 CET	192.168.2.7	1.1.1.1	0x250a	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Nov 24, 2024 02:14:31.418154001 CET	192.168.2.7	1.1.1.1	0x498	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Nov 24, 2024 02:14:31.419742107 CET	192.168.2.7	1.1.1.1	0x5976	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Nov 24, 2024 02:14:31.555414915 CET	192.168.2.7	1.1.1.1	0x7b41	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:31.556936026 CET	192.168.2.7	1.1.1.1	0x8981	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:31.689809084 CET	192.168.2.7	1.1.1.1	0x13b6	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 02:14:31.694722891 CET	192.168.2.7	1.1.1.1	0x149	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:31.694787979 CET	192.168.2.7	1.1.1.1	0x2ac6	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:31.832473993 CET	192.168.2.7	1.1.1.1	0x682e	Standard query (0)	twitter.com	28	IN (0x0001)	false
Nov 24, 2024 02:14:31.832856894 CET	192.168.2.7	1.1.1.1	0x8f27	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Nov 24, 2024 02:14:41.138362885 CET	192.168.2.7	1.1.1.1	0xa3	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 24, 2024 02:14:41.158413887 CET	192.168.2.7	1.1.1.1	0x43c7	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:41.170640945 CET	192.168.2.7	1.1.1.1	0xd4f7	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:41.309401989 CET	192.168.2.7	1.1.1.1	0xe1de	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:41.392766953 CET	192.168.2.7	1.1.1.1	0x868a	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:41.447860956 CET	192.168.2.7	1.1.1.1	0xa5b7	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 02:14:41.530844927 CET	192.168.2.7	1.1.1.1	0xb143	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Nov 24, 2024 02:14:42.963844061 CET	192.168.2.7	1.1.1.1	0x47f5	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 02:15:04.675599098 CET	192.168.2.7	1.1.1.1	0x1fae	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:15:04.814650059 CET	192.168.2.7	1.1.1.1	0xc148	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 02:15:10.959124088 CET	192.168.2.7	1.1.1.1	0x94bb	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 02:15:12.272526979 CET	192.168.2.7	1.1.1.1	0x7d01	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:15:46.164668083 CET	192.168.2.7	1.1.1.1	0x3f5	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:15:46.304616928 CET	192.168.2.7	1.1.1.1	0x7048	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 02:15:47.645097017 CET	192.168.2.7	1.1.1.1	0x5644	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 24, 2024 02:14:13.798160076 CET	1.1.1.1	192.168.2.7	0xe652	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:14.375045061 CET	1.1.1.1	192.168.2.7	0xb21c	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:14.736180067 CET	1.1.1.1	192.168.2.7	0x6713	No error (0)	youtube.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:14.874614000 CET	1.1.1.1	192.168.2.7	0x34e8	No error (0)	youtube.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:15.016329050 CET	1.1.1.1	192.168.2.7	0x74a5	No error (0)	youtube.com			28	IN (0x0001)	false
Nov 24, 2024 02:14:15.056143045 CET	1.1.1.1	192.168.2.7	0x1fa8	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 02:14:15.056143045 CET	1.1.1.1	192.168.2.7	0x1fa8	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:15.195559025 CET	1.1.1.1	192.168.2.7	0x42af	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:15.336793900 CET	1.1.1.1	192.168.2.7	0xa21	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Nov 24, 2024 02:14:15.430706024 CET	1.1.1.1	192.168.2.7	0x77a0	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:15.777484894 CET	1.1.1.1	192.168.2.7	0xd579	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:15.803550959 CET	1.1.1.1	192.168.2.7	0xe0c	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 02:14:15.803550959 CET	1.1.1.1	192.168.2.7	0xe0c	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:15.804002047 CET	1.1.1.1	192.168.2.7	0x5828	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 02:14:15.804002047 CET	1.1.1.1	192.168.2.7	0x5828	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:15.818615913 CET	1.1.1.1	192.168.2.7	0xa778	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 02:14:15.818615913 CET	1.1.1.1	192.168.2.7	0xa778	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 02:14:15.818615913 CET	1.1.1.1	192.168.2.7	0xa778	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:16.032932043 CET	1.1.1.1	192.168.2.7	0x4804	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:16.036138058 CET	1.1.1.1	192.168.2.7	0x7c5f	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:16.254204035 CET	1.1.1.1	192.168.2.7	0x2615	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:16.503412008 CET	1.1.1.1	192.168.2.7	0x87f8	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:16.503475904 CET	1.1.1.1	192.168.2.7	0x2aaa	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:16.503475904 CET	1.1.1.1	192.168.2.7	0x2aaa	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:16.505217075 CET	1.1.1.1	192.168.2.7	0xa42e	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Nov 24, 2024 02:14:16.545713902 CET	1.1.1.1	192.168.2.7	0xaaa1	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 02:14:16.545713902 CET	1.1.1.1	192.168.2.7	0xaaa1	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:17.609019041 CET	1.1.1.1	192.168.2.7	0x817f	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 02:14:20.446949005 CET	1.1.1.1	192.168.2.7	0xa34e	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 02:14:20.446949005 CET	1.1.1.1	192.168.2.7	0xa34e	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 02:14:20.446949005 CET	1.1.1.1	192.168.2.7	0xa34e	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:20.585781097 CET	1.1.1.1	192.168.2.7	0x2c3e	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:20.701525927 CET	1.1.1.1	192.168.2.7	0x12ca	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:20.839528084 CET	1.1.1.1	192.168.2.7	0x95f0	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:24.797240973 CET	1.1.1.1	192.168.2.7	0xa037	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 02:14:24.797240973 CET	1.1.1.1	192.168.2.7	0xa037	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:24.866758108 CET	1.1.1.1	192.168.2.7	0x4f75	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:25.004657984 CET	1.1.1.1	192.168.2.7	0x4a7c	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:25.135700941 CET	1.1.1.1	192.168.2.7	0x4075	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 02:14:25.135700941 CET	1.1.1.1	192.168.2.7	0x4075	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:25.279690981 CET	1.1.1.1	192.168.2.7	0x7773	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:26.976454973 CET	1.1.1.1	192.168.2.7	0x63fa	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:31.278280020 CET	1.1.1.1	192.168.2.7	0xac87	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 02:14:31.278280020 CET	1.1.1.1	192.168.2.7	0xac87	No error (0)	youtube-ui.l.google.com		172.217.19.14	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:31.278280020 CET	1.1.1.1	192.168.2.7	0xac87	No error (0)	youtube-ui.l.google.com		172.217.19.174	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:31.278280020 CET	1.1.1.1	192.168.2.7	0xac87	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:31.278280020 CET	1.1.1.1	192.168.2.7	0xac87	No error (0)	youtube-ui.l.google.com		142.250.181.46	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:31.278280020 CET	1.1.1.1	192.168.2.7	0xac87	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:31.278280020 CET	1.1.1.1	192.168.2.7	0xac87	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:31.278280020 CET	1.1.1.1	192.168.2.7	0xac87	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:31.278280020 CET	1.1.1.1	192.168.2.7	0xac87	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:31.278280020 CET	1.1.1.1	192.168.2.7	0xac87	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:31.278280020 CET	1.1.1.1	192.168.2.7	0xac87	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:31.278537989 CET	1.1.1.1	192.168.2.7	0xf8cf	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 02:14:31.278537989 CET	1.1.1.1	192.168.2.7	0xf8cf	No error (0)	star-mini.c10r.facebook.com		157.240.196.35	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:31.278906107 CET	1.1.1.1	192.168.2.7	0xcaa8	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 02:14:31.278906107 CET	1.1.1.1	192.168.2.7	0xcaa8	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:31.416925907 CET	1.1.1.1	192.168.2.7	0x618f	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:31.417396069 CET	1.1.1.1	192.168.2.7	0x87e4	No error (0)	star-mini.c10r.facebook.com		157.240.196.35	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:31.419208050 CET	1.1.1.1	192.168.2.7	0x54d9	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:31.419208050 CET	1.1.1.1	192.168.2.7	0x54d9	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:31.419208050 CET	1.1.1.1	192.168.2.7	0x54d9	No error (0)	youtube-ui.l.google.com		142.250.181.14	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:31.419208050 CET	1.1.1.1	192.168.2.7	0x54d9	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:31.419208050 CET	1.1.1.1	192.168.2.7	0x54d9	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:31.419208050 CET	1.1.1.1	192.168.2.7	0x54d9	No error (0)	youtube-ui.l.google.com		216.58.208.238	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:31.419208050 CET	1.1.1.1	192.168.2.7	0x54d9	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:31.419208050 CET	1.1.1.1	192.168.2.7	0x54d9	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:31.419208050 CET	1.1.1.1	192.168.2.7	0x54d9	No error (0)	youtube-ui.l.google.com		172.217.19.174	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:31.554754019 CET	1.1.1.1	192.168.2.7	0x250a	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Nov 24, 2024 02:14:31.555741072 CET	1.1.1.1	192.168.2.7	0x498	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Nov 24, 2024 02:14:31.556380033 CET	1.1.1.1	192.168.2.7	0x5976	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 24, 2024 02:14:31.556380033 CET	1.1.1.1	192.168.2.7	0x5976	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 24, 2024 02:14:31.556380033 CET	1.1.1.1	192.168.2.7	0x5976	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 24, 2024 02:14:31.556380033 CET	1.1.1.1	192.168.2.7	0x5976	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 24, 2024 02:14:31.692313910 CET	1.1.1.1	192.168.2.7	0x7b41	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 02:14:31.692313910 CET	1.1.1.1	192.168.2.7	0x7b41	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:31.692313910 CET	1.1.1.1	192.168.2.7	0x7b41	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:31.692313910 CET	1.1.1.1	192.168.2.7	0x7b41	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:31.692313910 CET	1.1.1.1	192.168.2.7	0x7b41	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:31.693645000 CET	1.1.1.1	192.168.2.7	0x8981	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:31.693645000 CET	1.1.1.1	192.168.2.7	0x8981	No error (0)	twitter.com		104.244.42.1	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:31.693645000 CET	1.1.1.1	192.168.2.7	0x8981	No error (0)	twitter.com		104.244.42.193	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:31.693645000 CET	1.1.1.1	192.168.2.7	0x8981	No error (0)	twitter.com		104.244.42.129	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:31.831720114 CET	1.1.1.1	192.168.2.7	0x2ac6	No error (0)	twitter.com		104.244.42.129	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:31.832456112 CET	1.1.1.1	192.168.2.7	0x149	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:31.832456112 CET	1.1.1.1	192.168.2.7	0x149	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:31.832456112 CET	1.1.1.1	192.168.2.7	0x149	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:31.832456112 CET	1.1.1.1	192.168.2.7	0x149	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:41.307936907 CET	1.1.1.1	192.168.2.7	0xd4f7	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 02:14:41.307936907 CET	1.1.1.1	192.168.2.7	0xd4f7	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:41.391467094 CET	1.1.1.1	192.168.2.7	0x43c7	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:41.391467094 CET	1.1.1.1	192.168.2.7	0x43c7	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:41.391467094 CET	1.1.1.1	192.168.2.7	0x43c7	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:41.391467094 CET	1.1.1.1	192.168.2.7	0x43c7	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:41.447170019 CET	1.1.1.1	192.168.2.7	0xe1de	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:41.530162096 CET	1.1.1.1	192.168.2.7	0x868a	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:41.530162096 CET	1.1.1.1	192.168.2.7	0x868a	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:41.530162096 CET	1.1.1.1	192.168.2.7	0x868a	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:41.530162096 CET	1.1.1.1	192.168.2.7	0x868a	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:14:41.760639906 CET	1.1.1.1	192.168.2.7	0xb143	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 24, 2024 02:14:41.760639906 CET	1.1.1.1	192.168.2.7	0xb143	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 24, 2024 02:14:41.760639906 CET	1.1.1.1	192.168.2.7	0xb143	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 24, 2024 02:14:41.760639906 CET	1.1.1.1	192.168.2.7	0xb143	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 24, 2024 02:14:44.809609890 CET	1.1.1.1	192.168.2.7	0x28b6	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 02:14:44.809609890 CET	1.1.1.1	192.168.2.7	0x28b6	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 02:15:04.813195944 CET	1.1.1.1	192.168.2.7	0x1fae	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:15:12.409415007 CET	1.1.1.1	192.168.2.7	0x7d01	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 02:15:12.409415007 CET	1.1.1.1	192.168.2.7	0x7d01	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:15:46.301661015 CET	1.1.1.1	192.168.2.7	0x3f5	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 24, 2024 02:15:47.782237053 CET	1.1.1.1	192.168.2.7	0x5644	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 02:15:47.782237053 CET	1.1.1.1	192.168.2.7	0x5644	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49712	34.107.221.82	80	8048	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 02:14:15.183216095 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 02:14:16.269052029 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 01:37:16 GMT Age: 85020 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49717	34.107.221.82	80	8048	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 02:14:16.667258978 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 02:14:17.799278975 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 06:16:37 GMT Age: 68260 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49721	34.107.221.82	80	8048	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 02:14:17.380647898 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 02:14:18.465965033 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 01:37:16 GMT Age: 85022 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 02:14:20.509187937 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 02:14:20.824060917 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 01:37:16 GMT Age: 85024 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 02:14:26.833096027 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 02:14:27.147377014 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 01:37:16 GMT Age: 85030 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 02:14:30.806032896 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 02:14:31.120743036 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 01:37:16 GMT Age: 85034 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 02:14:32.074238062 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 02:14:32.388693094 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 01:37:16 GMT Age: 85036 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 02:14:32.960962057 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 02:14:33.276514053 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 01:37:16 GMT Age: 85037 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 02:14:33.385133028 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 02:14:33.699534893 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 01:37:16 GMT Age: 85037 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 02:14:34.668109894 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 02:14:34.984476089 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 01:37:16 GMT Age: 85038 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 02:14:35.947896957 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 02:14:36.262552977 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 01:37:16 GMT Age: 85040 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 02:14:42.414433002 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 02:14:42.729008913 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 01:37:16 GMT Age: 85046 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 02:14:43.811183929 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 02:14:44.126060009 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 01:37:16 GMT Age: 85047 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 02:14:44.226980925 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 02:14:44.542031050 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 01:37:16 GMT Age: 85048 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 02:14:54.546405077 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 02:15:04.672645092 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 02:15:06.086443901 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 02:15:06.400902987 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 01:37:16 GMT Age: 85070 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 02:15:12.272221088 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 02:15:12.586750031 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 01:37:16 GMT Age: 85076 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 02:15:13.496946096 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 02:15:13.811434031 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 01:37:16 GMT Age: 85077 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 02:15:23.821553946 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 02:15:33.950923920 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 02:15:44.079884052 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 02:15:47.644814968 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 02:15:47.959620953 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 01:37:16 GMT Age: 85111 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 02:15:57.969511986 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 02:16:08.113363981 CET	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49735	34.107.221.82	80	8048	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 02:14:20.434897900 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 02:14:21.522855043 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 06:16:37 GMT Age: 68264 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 02:14:24.566004992 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 02:14:24.881262064 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 06:16:37 GMT Age: 68267 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 02:14:27.248476028 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 02:14:27.666125059 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 06:16:37 GMT Age: 68270 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 02:14:31.123435974 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 02:14:31.437627077 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 06:16:37 GMT Age: 68274 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 02:14:32.391288042 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 02:14:32.706118107 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 06:16:37 GMT Age: 68275 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 02:14:33.280165911 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 02:14:33.594074011 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 06:16:37 GMT Age: 68276 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 02:14:33.702310085 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 02:14:34.018486977 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 06:16:37 GMT Age: 68276 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 02:14:34.987592936 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 02:14:35.302673101 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 06:16:37 GMT Age: 68278 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 02:14:36.272449970 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 02:14:36.590440989 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 06:16:37 GMT Age: 68279 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 02:14:42.731631041 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 02:14:43.045762062 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 06:16:37 GMT Age: 68285 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 02:14:44.128376961 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 02:14:44.442715883 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 06:16:37 GMT Age: 68287 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 02:14:44.546871901 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 02:14:44.894639969 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 06:16:37 GMT Age: 68287 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 02:14:54.900715113 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 02:15:05.020286083 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 02:15:06.404078007 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 02:15:06.718234062 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 06:16:37 GMT Age: 68309 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 02:15:12.603538990 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 02:15:12.918411970 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 06:16:37 GMT Age: 68315 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 02:15:13.819508076 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 02:15:14.140221119 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 06:16:37 GMT Age: 68316 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 02:15:24.160363913 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 02:15:34.289519072 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 02:15:44.418548107 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 02:15:47.964198112 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 02:15:48.278301001 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 06:16:37 GMT Age: 68351 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 02:15:58.286024094 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 02:16:08.415940046 CET	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	0
Start time:	20:14:04
Start date:	23/11/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x1000000
File size:	921'600 bytes
MD5 hash:	163C161C40D81ABCF7762B5FE1E069F9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialFlusher, Description: Yara detected Credential Flusher, Source: 00000000.00000003.1248320440.0000000000BA4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	20:14:04
Start date:	23/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0xb10000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	20:14:04
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	20:14:06
Start date:	23/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0xb10000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	20:14:07
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	20:14:07
Start date:	23/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0xb10000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	20:14:07
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	20:14:07
Start date:	23/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0xb10000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	20:14:07
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	20:14:07
Start date:	23/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0xb10000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	20:14:07
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	20:14:08
Start date:	23/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	20:14:08
Start date:	23/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	20:14:08
Start date:	23/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	21
Start time:	20:14:09
Start date:	23/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2280 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2224 -prefsLen 25302 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0fa56352-fd4b-4b7f-b423-9a0248dfdb3b} 8048 "\\.\pipe\gecko-crash-server-pipe.8048" 25ae3f70510 socket
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	24
Start time:	20:14:12
Start date:	23/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4316 -parentBuildID 20230927232528 -prefsHandle 3496 -prefMapHandle 4280 -prefsLen 26317 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed71bddf-fccd-47e2-b4c7-74e3184e403d} 8048 "\\.\pipe\gecko-crash-server-pipe.8048" 25af417da10 rdd
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	26
Start time:	20:14:24
Start date:	23/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5424 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5136 -prefMapHandle 5132 -prefsLen 33202 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5dca1960-02c8-4c81-b349-e484fc3aaec9} 8048 "\\.\pipe\gecko-crash-server-pipe.8048" 25afd726710 utility
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.3%
Total number of Nodes:	1560
Total number of Limit Nodes:	50

Executed Functions

Function 010042DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0100430D

Part of subcall function 01006B57: _wcslen.LIBCMT ref: 01006B6A

GetCurrentProcess.KERNEL32(?,0109CB64,00000000,?,?), ref: 01004422
IsWow64Process.KERNEL32(00000000,?,?), ref: 01004429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 01004454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 01004466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 01004474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0100447B
GetSystemInfo.KERNEL32(?,?,?), ref: 010044A0

Strings

GetNativeSystemInfo, xrefs: 01004460
|O, xrefs: 010436F8
kernel32.dll, xrefs: 0100444F

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 4eda39a85d420a982b85625ca3811be5a00939f07168d77279267fb062cfb305
Instruction ID: 54bc9ceedfda534896be994a8a4b6a3cea230eca3db9e74195ff24a183153f79
Opcode Fuzzy Hash: 4eda39a85d420a982b85625ca3811be5a00939f07168d77279267fb062cfb305
Instruction Fuzzy Hash: E4A1837190B3D0CFE733C76DB1801997FE5BB26240F08D8A9D9C1A7A4ADE3A4548CB65

Function 010042A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,010050AA,?,?,00000000,00000000), ref: 010042B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,010050AA,?,?,00000000,00000000), ref: 010042C9
LoadResource.KERNEL32(?,00000000,?,?,010050AA,?,?,00000000,00000000,?,?,?,?,?,?,01004F20), ref: 010435BE
SizeofResource.KERNEL32(?,00000000,?,?,010050AA,?,?,00000000,00000000,?,?,?,?,?,?,01004F20), ref: 010435D3
LockResource.KERNEL32(010050AA,?,?,010050AA,?,?,00000000,00000000,?,?,?,?,?,?,01004F20,?), ref: 010435E6

Strings

SCRIPT, xrefs: 010042BF

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: c2b73c115d5d15e893018f08981350b604a2faa29e97ac08bb8d6ec049c19922
Instruction ID: 097c2a3664f4f761955c3364b566348f3ec2eb03646ba811950be477a28a3c11
Opcode Fuzzy Hash: c2b73c115d5d15e893018f08981350b604a2faa29e97ac08bb8d6ec049c19922
Instruction Fuzzy Hash: 5F117070A00700BFFB228B65DD48F277BB9FBC5B51F1041A9B686D6190DB72D8008670

Function 01042BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 01002B6B

Part of subcall function 01003A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,010D1418,?,01002E7F,?,?,?,00000000), ref: 01003A78

Part of subcall function 01009CB3: _wcslen.LIBCMT ref: 01009CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,010C2224), ref: 01042C10
ShellExecuteW.SHELL32(00000000,?,?,010C2224), ref: 01042C17

Strings

runas, xrefs: 01042C0B

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: df10b3370f9f68f6116d03b731dd85f5e0c6a5d14acd4042ad037e577527b3fb
Instruction ID: d2052f8cc37f1cb9a049a6363ff06a62551b6203341825e18b8b92ea2c23934c
Opcode Fuzzy Hash: df10b3370f9f68f6116d03b731dd85f5e0c6a5d14acd4042ad037e577527b3fb
Instruction Fuzzy Hash: BB11EE31608342AEE727FF64D894AFEBBA4BBA1600F44546DF1C65A0E2CF318549C752

Function 0106D4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0106D501
Process32FirstW.KERNEL32(00000000,?), ref: 0106D50F
Process32NextW.KERNEL32(00000000,?), ref: 0106D52F
CloseHandle.KERNELBASE(00000000), ref: 0106D5DC

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: be01c79190f7d5963783f702d89be8dd3f50ec58869930b992f434999c5ae771
Instruction ID: e2d2a49185e84f8c8ce3ed75bac2d16e0f0e6ae3a9b9e17230ea17c0a69c0790
Opcode Fuzzy Hash: be01c79190f7d5963783f702d89be8dd3f50ec58869930b992f434999c5ae771
Instruction Fuzzy Hash: 8B31B4716083019FE311EF54C890AAFBBF8EFA9354F54092DF5C5831A1EB719644CBA2

Function 0106DBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,01045222), ref: 0106DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0106DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0106DBEE
FindClose.KERNEL32(00000000), ref: 0106DBFA

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 904f1d8b088d092d8b745950418529c8fc51d6fe330164c84c4e3870eb18c50b
Instruction ID: f350d7e2ce56c53b86ae54c25d1e31c9e6cc138fb2db3026f1cd4226507888af
Opcode Fuzzy Hash: 904f1d8b088d092d8b745950418529c8fc51d6fe330164c84c4e3870eb18c50b
Instruction Fuzzy Hash: 9FF02330C1091D97A230ABBCDD0D46E37ACAE01334B404742F4F5C10D8EBB7599447D5

Function 01024CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(010328E9,?,01024CBE,010328E9,010C88B8,0000000C,01024E15,010328E9,00000002,00000000,?,010328E9), ref: 01024D09
TerminateProcess.KERNEL32(00000000,?,01024CBE,010328E9,010C88B8,0000000C,01024E15,010328E9,00000002,00000000,?,010328E9), ref: 01024D10
ExitProcess.KERNEL32 ref: 01024D22

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: cb03774a982ea3d7f228b07c89e131472b45ef2a97e6dc19c98771a37325ecc1
Instruction ID: b81292704399633aab4f035b784a1fd4b5e55ee885702f4744b719a71bc98faa
Opcode Fuzzy Hash: cb03774a982ea3d7f228b07c89e131472b45ef2a97e6dc19c98771a37325ecc1
Instruction Fuzzy Hash: 47E0B631400158AFDF21BF54DA19A983F69FB45A81B108054FD89CB126CB3ADA42DB90

Function 0108AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0108B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0108B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0108B1D4
_wcslen.LIBCMT ref: 0108B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0108B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0108B236
_wcslen.LIBCMT ref: 0108B332

Part of subcall function 010705A7: GetStdHandle.KERNEL32(000000F6), ref: 010705C6

_wcslen.LIBCMT ref: 0108B34B
_wcslen.LIBCMT ref: 0108B366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0108B3B6
GetLastError.KERNEL32(00000000), ref: 0108B407
CloseHandle.KERNEL32(?), ref: 0108B439
CloseHandle.KERNEL32(00000000), ref: 0108B44A
CloseHandle.KERNEL32(00000000), ref: 0108B45C
CloseHandle.KERNEL32(00000000), ref: 0108B46E
CloseHandle.KERNEL32(?), ref: 0108B4E3

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 02f2a5d2359b7de0002336d628ed6981b2f98e09920a370dbcb6b03fafd979ed
Instruction ID: 00dd9744eff2293227311064927ff9a97d59b6d1183f984b4e7738fa16fe1d7b
Opcode Fuzzy Hash: 02f2a5d2359b7de0002336d628ed6981b2f98e09920a370dbcb6b03fafd979ed
Instruction Fuzzy Hash: 68F1AF316083419FD725EF28C890BAEBBE5BF85314F14859DE8D59B2A1CB31EC45CB52

Function 0100D730 Relevance: 21.6, APIs: 14, Instructions: 618windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0100D807
timeGetTime.WINMM ref: 0100DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0100DB28
TranslateMessage.USER32(?), ref: 0100DB7B
DispatchMessageW.USER32(?), ref: 0100DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0100DB9F
Sleep.KERNELBASE(0000000A), ref: 0100DBB1

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 83b90dba36cec8ee4e3db511566eea31ce3e1e86f9a4253574350be408192fc5
Instruction ID: fbb798d27e80ea3790249457db24e2ac0195525ce2264e772c06fba74e486dd8
Opcode Fuzzy Hash: 83b90dba36cec8ee4e3db511566eea31ce3e1e86f9a4253574350be408192fc5
Instruction Fuzzy Hash: 7842F130608342EFF766CFA8C854BAABBE5BF45300F048559E9D5872D1D775E884CBA2

Function 01002CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 01002D07
RegisterClassExW.USER32(00000030), ref: 01002D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 01002D42
InitCommonControlsEx.COMCTL32(?), ref: 01002D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 01002D6F
LoadIconW.USER32(000000A9), ref: 01002D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 01002D94

Strings

+, xrefs: 01002CF0
0, xrefs: 01002CE9
TaskbarCreated, xrefs: 01002D37
AutoIt v3 GUI, xrefs: 01002D23

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: ee4ab43d46ab978cbb8f3d6251514bb117389e6813cc458801635a2d41af3c56
Instruction ID: bb75c1c181c2b613dbd65754c3f676cdee3e2d0159f70f49ad2d506dc67d980d
Opcode Fuzzy Hash: ee4ab43d46ab978cbb8f3d6251514bb117389e6813cc458801635a2d41af3c56
Instruction Fuzzy Hash: 4A21EDB5D12318AFEF20DF94E959BDDBBB4FB08704F00411AF991A6284DBBA4544CF51

Function 0104065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0104039A: CreateFileW.KERNELBASE(00000000,00000000,?,01040704,?,?,00000000,?,01040704,00000000,0000000C), ref: 010403B7

GetLastError.KERNEL32 ref: 0104076F
__dosmaperr.LIBCMT ref: 01040776
GetFileType.KERNELBASE(00000000), ref: 01040782
GetLastError.KERNEL32 ref: 0104078C
__dosmaperr.LIBCMT ref: 01040795
CloseHandle.KERNEL32(00000000), ref: 010407B5
CloseHandle.KERNEL32(?), ref: 010408FF
GetLastError.KERNEL32 ref: 01040931
__dosmaperr.LIBCMT ref: 01040938

Strings

H, xrefs: 010408BD

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 2a62616db6e14bf158d9114af611f41450398a263bbdb70f8634b65f14578b50
Instruction ID: d588c6c8aba741dee3b77199a58e6056c780196506e3e21dd3d94936c058cf4a
Opcode Fuzzy Hash: 2a62616db6e14bf158d9114af611f41450398a263bbdb70f8634b65f14578b50
Instruction Fuzzy Hash: 73A13572A001058FDF19EF68D891BEE3BF0EB46320F2441ADF995AB295D7358902CB91

Function 0100344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01003A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,010D1418,?,01002E7F,?,?,?,00000000), ref: 01003A78

Part of subcall function 01003357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 01003379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0100356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0104318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 010431CE
RegCloseKey.ADVAPI32(?), ref: 01043210
_wcslen.LIBCMT ref: 01043277
_wcslen.LIBCMT ref: 01043286

Strings

\, xrefs: 0104328C
\Include\, xrefs: 01003527
Software\AutoIt v3\AutoIt, xrefs: 01003560
Include, xrefs: 01043184, 010431C5

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 21c9c5aad6a33169549c5ea1be3fa53132d1697eafd5875ad0eb2cd12130da20
Instruction ID: a608dcf43057c7bdc6d6496bdb174fd059fea5db18b91e383b46374c9a8e0b84
Opcode Fuzzy Hash: 21c9c5aad6a33169549c5ea1be3fa53132d1697eafd5875ad0eb2cd12130da20
Instruction Fuzzy Hash: 0371B1715053029FE325EF69D8808ABBBE8FF94240F40852EF9C5D71A4EF759548CB61

Function 01002B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 01002B8E
LoadCursorW.USER32(00000000,00007F00), ref: 01002B9D
LoadIconW.USER32(00000063), ref: 01002BB3
LoadIconW.USER32(000000A4), ref: 01002BC5
LoadIconW.USER32(000000A2), ref: 01002BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 01002BEF
RegisterClassExW.USER32(?), ref: 01002C40

Part of subcall function 01002CD4: GetSysColorBrush.USER32(0000000F), ref: 01002D07
Part of subcall function 01002CD4: RegisterClassExW.USER32(00000030), ref: 01002D31
Part of subcall function 01002CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 01002D42
Part of subcall function 01002CD4: InitCommonControlsEx.COMCTL32(?), ref: 01002D5F
Part of subcall function 01002CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 01002D6F
Part of subcall function 01002CD4: LoadIconW.USER32(000000A9), ref: 01002D85
Part of subcall function 01002CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 01002D94

Strings

#, xrefs: 01002C16
AutoIt v3, xrefs: 01002C2F
0, xrefs: 01002C0F

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 01f92aafc3f48d4478d815dde8b71b04986d4cb973c75bbb2cae4cad5c5b6949
Instruction ID: bd1e51dbd5f9bfb96da472a24545c4448177ac9bb18b5b8eb480bbd6b4b2a480
Opcode Fuzzy Hash: 01f92aafc3f48d4478d815dde8b71b04986d4cb973c75bbb2cae4cad5c5b6949
Instruction Fuzzy Hash: A7214270E02314AFEB209FD5E955B9DBFB5FB48B50F40811AF984A6684DFBA0540DF90

Function 01003170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0100316A,?,?), ref: 010031D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0100316A,?,?), ref: 01003204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 01003227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0100316A,?,?), ref: 01003232
CreatePopupMenu.USER32 ref: 01003246
PostQuitMessage.USER32(00000000), ref: 01003267

Strings

TaskbarCreated, xrefs: 0100322D

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 9d52755230b56100dca2fc2ba688bb6c6fec6596cb247ec882c4b4afe1a2c888
Instruction ID: a0283c90dcdb8d4c084a0d24f537bf33e73e63b3b9e32211862ba6746c47c78d
Opcode Fuzzy Hash: 9d52755230b56100dca2fc2ba688bb6c6fec6596cb247ec882c4b4afe1a2c888
Instruction Fuzzy Hash: 48411235244201AFFB276B6CD958BBD3AA9FB19340F044169FAC28E1C5CF7A8540C7A1

Function 01001410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 01001459
CoUninitialize.COMBASE ref: 010014F8
UnregisterHotKey.USER32(?), ref: 010016DD
DestroyWindow.USER32(?), ref: 010424B9
FreeLibrary.KERNEL32(?), ref: 0104251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0104254B

Strings

close all, xrefs: 01001454

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 5b49320ec4577c656b8203e91a5253613de57075550bb0d4b48d02205eec8f6a
Instruction ID: 41550d0db32d11d374142f05168337b320b52eb6f66891ee52ba13d80dec9335
Opcode Fuzzy Hash: 5b49320ec4577c656b8203e91a5253613de57075550bb0d4b48d02205eec8f6a
Instruction Fuzzy Hash: 43D16D71701212CFEB2AEF14D998A69F7A0BF08700F1541ADE5CA6B291DB31ED12CF91

Function 01002C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 01002C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 01002CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,01001CAD,?), ref: 01002CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,01001CAD,?), ref: 01002CCF

Strings

edit, xrefs: 01002CAC
AutoIt v3, xrefs: 01002C89, 01002C8E, 01002C8F

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: ff39936e5da8092c5a6bceca104cf16a1030a7a7efdd4b816112da08a3c5152b
Instruction ID: 27dea823f4327b9494522a9c30bee5e149282b709a68f6d32a5f0fd4cab51cdc
Opcode Fuzzy Hash: ff39936e5da8092c5a6bceca104cf16a1030a7a7efdd4b816112da08a3c5152b
Instruction Fuzzy Hash: 34F0B775A412907BEB311717AC18E776EBDE7C6F50B00805AFD84A6554CA7A1850DBB0

Function 01003B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,01003B0F,SwapMouseButtons,00000004,?), ref: 01003B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,01003B0F,SwapMouseButtons,00000004,?), ref: 01003B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,01003B0F,SwapMouseButtons,00000004,?), ref: 01003B83

Strings

Control Panel\Mouse, xrefs: 01003B3E

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: c0c524a341f95d8bdef51909440a68294760740744abbeab732f3ccceb473317
Instruction ID: e6b9ed2831e5a7a85833a6af613c315a9bdceb3aea33062b9fd1729548dee37a
Opcode Fuzzy Hash: c0c524a341f95d8bdef51909440a68294760740744abbeab732f3ccceb473317
Instruction Fuzzy Hash: 49115AB1510608FFEB228FA8DC84AAEBBBCFF41748F00445ABA41DB150D6319A409760

Function 01003923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 010433A2

Part of subcall function 01006B57: _wcslen.LIBCMT ref: 01006B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 01003A04

Strings

Line: , xrefs: 010433EB

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: ee6f7c74f7793cce9da536e6f3f514fe6d382e8cd917e49fcabac9c92e03ee68
Instruction ID: 51d8f766b29ec40f68a6d6bfbb22f7453062b508f5e424a7f010c259e69dae3b
Opcode Fuzzy Hash: ee6f7c74f7793cce9da536e6f3f514fe6d382e8cd917e49fcabac9c92e03ee68
Instruction Fuzzy Hash: AC31AB71509315AEE327EB24D844BEEB7E8BF50710F00892EE5D9961C0EF759649CBC2

Function 0101FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 01020668

Part of subcall function 010232A4: RaiseException.KERNEL32(?,?,?,0102068A,?,010D1444,?,?,?,?,?,?,0102068A,01001129,010C8738,01001129), ref: 01023304

__CxxThrowException@8.LIBVCRUNTIME ref: 01020685

Strings

Unknown exception, xrefs: 01020692

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 703656268994da115ac481d3007f14a9bcb5a26d33c4fc18039f0e1219d65fd4
Instruction ID: e9114ecc360fa99fea51bc2f5dfcd7b6595aff6171ded1a8b421dcc5e47c8553
Opcode Fuzzy Hash: 703656268994da115ac481d3007f14a9bcb5a26d33c4fc18039f0e1219d65fd4
Instruction Fuzzy Hash: 62F0C23490032FB7CF10B6A8D848CEE7BAD6F14210BA04565F9A4DA599EF75E619C5C0

Function 010010F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 01001BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 01001BF4
Part of subcall function 01001BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 01001BFC
Part of subcall function 01001BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 01001C07
Part of subcall function 01001BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 01001C12
Part of subcall function 01001BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 01001C1A
Part of subcall function 01001BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 01001C22

Part of subcall function 01001B4A: RegisterWindowMessageW.USER32(00000004,?,010012C4), ref: 01001BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0100136A
OleInitialize.OLE32 ref: 01001388
CloseHandle.KERNEL32(00000000,00000000), ref: 010424AB

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 527190644e0a4ca76e55bf037d7037782faae0b2a34dbb384e4a4def5fccc79b
Instruction ID: 55ec3463cb7004a3ec345d6f082071849609834900a7daae0d1427598b67f717
Opcode Fuzzy Hash: 527190644e0a4ca76e55bf037d7037782faae0b2a34dbb384e4a4def5fccc79b
Instruction Fuzzy Hash: 9B71BCB4A02301CFE7A4DFB9F1456953AE1FB58244798826AD8CAC729DEF3E4041CF44

Function 0106C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 01003923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 01003A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0106C259
KillTimer.USER32(?,00000001,?,?), ref: 0106C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0106C270

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: eb77127d774344e4ea59988fcb44de4e145ec83559d76172dc6f785fc7597085
Instruction ID: 2e91663723e634b04952ace58186b034fdd8141c00edf266a3ef0c7c0aab35fd
Opcode Fuzzy Hash: eb77127d774344e4ea59988fcb44de4e145ec83559d76172dc6f785fc7597085
Instruction Fuzzy Hash: 92318F70904344AFFB729F688995BEBBBECAB06308F04449ADADEA7241C7745684CB51

Function 010386AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,010385CC,?,010C8CC8,0000000C), ref: 01038704
GetLastError.KERNEL32(?,010385CC,?,010C8CC8,0000000C), ref: 0103870E
__dosmaperr.LIBCMT ref: 01038739

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 4c2b2eb7efb331bfe5beb8ad8498c7492de01c84204eb2f9e6224e65654c606d
Instruction ID: 9f0795cc7c2de3611dc7aba4f7853296c7ff87f0100a223a017051c38399ddbe
Opcode Fuzzy Hash: 4c2b2eb7efb331bfe5beb8ad8498c7492de01c84204eb2f9e6224e65654c606d
Instruction Fuzzy Hash: 4201B133A0522027D6B26238A9447BE2BDD4BC6734F28C3CFF9D99B0D2DEB5C4819250

Function 0100DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 0100DB7B
DispatchMessageW.USER32(?), ref: 0100DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0100DB9F
Sleep.KERNELBASE(0000000A), ref: 0100DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 01051CC9

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 6d6709a8d841108ae02e7f6719e9a4ed53cf82423b3094d3de1d8d36daded5c9
Instruction ID: 350e41c20e6e67f0c0f629d236a04eb1e80ae3099e69e6465b36c7c7ac40b2c1
Opcode Fuzzy Hash: 6d6709a8d841108ae02e7f6719e9a4ed53cf82423b3094d3de1d8d36daded5c9
Instruction Fuzzy Hash: 04F03A306043849BF771DBA4CD99FAA77ACBB84210F404658EA8A830C0DB3590888B25

Function 01011310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 010117F6

Strings

CALL, xrefs: 010117C6

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 8ef0ee20b67803e6c048f7031fb755d8623932d7e7970f8e32f8e17c84bdc12c
Instruction ID: 444a72ef6a76ce15dc502b15e94ff1fbff1a7e96c53f63548ea2044ae1a0032d
Opcode Fuzzy Hash: 8ef0ee20b67803e6c048f7031fb755d8623932d7e7970f8e32f8e17c84bdc12c
Instruction Fuzzy Hash: A1228D70608302DFD758DF28C480A6ABBF1BF89314F58895DEAD68B355D73AE845CB42

Function 01002DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 01042C8C

Part of subcall function 01003AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,01003A97,?,?,01002E7F,?,?,?,00000000), ref: 01003AC2

Part of subcall function 01002DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 01002DC4

Strings

X, xrefs: 01042C5A

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: 4cc2e0c276d55955b3517367d950dd79336ddcc3ab0502d8dbc044ce0963c4e1
Instruction ID: e9512375c40318a6b1e959e0fe098617f629b3dcdc7a0addb10fe3a5e0349d75
Opcode Fuzzy Hash: 4cc2e0c276d55955b3517367d950dd79336ddcc3ab0502d8dbc044ce0963c4e1
Instruction Fuzzy Hash: F421D870E002589FDB12EF94C8487DE7BF9AF59704F008059E485A7380DFB55989CF61

Function 01003837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 01003908

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 626e8d4b5a7fefc7f4f2b35d96e7f458c959fa5d1ab33e67adec4d1390cdd132
Instruction ID: e773c4fda16890102e72199c00150ea56f078dbe8b762ee8efb02fb50759a550
Opcode Fuzzy Hash: 626e8d4b5a7fefc7f4f2b35d96e7f458c959fa5d1ab33e67adec4d1390cdd132
Instruction Fuzzy Hash: C2318570605701DFE762DF68D48479BBBE8FB49708F00096EE9DA87280EB75A644CB52

Function 0101F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0101F661

Part of subcall function 0100D730: GetInputState.USER32 ref: 0100D807

Sleep.KERNEL32(00000000), ref: 0105F2DE

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 4dc172cb618f3578bacda0117377428820f5d2d1d72dab11a50b283640227306
Instruction ID: 7dabb90ae2c4a48f49045ed63ad3f564b268d59c491a4bb16402c3ed59a84a8a
Opcode Fuzzy Hash: 4dc172cb618f3578bacda0117377428820f5d2d1d72dab11a50b283640227306
Instruction Fuzzy Hash: B2F08C752406069FE310EF79D558BAAB7E8FF59761F000069E89DC7390DB71AC00CB90

Function 01004ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 01004E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,01004EDD,?,010D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 01004E9C
Part of subcall function 01004E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 01004EAE
Part of subcall function 01004E90: FreeLibrary.KERNEL32(00000000,?,?,01004EDD,?,010D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 01004EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,010D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 01004EFD

Part of subcall function 01004E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,01043CDE,?,010D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 01004E62
Part of subcall function 01004E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 01004E74
Part of subcall function 01004E59: FreeLibrary.KERNEL32(00000000,?,?,01043CDE,?,010D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 01004E87

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: ef1ee474c9343edfb08af6108e0a53558c6edaec9bc14080c394fb6d950d8156
Instruction ID: a41534c1e5aea59337df8e9072e677bda2756195e9630ad0d95564f0daabcd01
Opcode Fuzzy Hash: ef1ee474c9343edfb08af6108e0a53558c6edaec9bc14080c394fb6d950d8156
Instruction Fuzzy Hash: 91112731600206ABEF22FF64DC15FED77A49F60711F10442DE6C2EA1C0EEB09E049B58

Function 01038402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 01038440

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 16db8c0b1048d275aeee2d83e74cc32ae060bf3f58a99f616f8a8b95913ab7d7
Instruction ID: 5e313afbccd1b0be10b7878665b07740e3c8fb5bffdd10725f5e14bbfafd2cb2
Opcode Fuzzy Hash: 16db8c0b1048d275aeee2d83e74cc32ae060bf3f58a99f616f8a8b95913ab7d7
Instruction Fuzzy Hash: 3711067590420AAFCF16DF58E9409DA7BF9EF88314F1085AAF848AB311D631DA118BA5

Function 01035000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 01034C7D: RtlAllocateHeap.NTDLL(00000008,01001129,00000000,?,01032E29,00000001,00000364,?,?,?,0102F2DE,01033863,010D1444,?,0101FDF5,?), ref: 01034CBE

_free.LIBCMT ref: 0103506C

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 60208e078aad91c5dab9cd6cbd2dfef3947b5567d333b15f28f8707cf7bcad28
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 080149722043056BE3318F69DC84A9AFBECFBC9270F25055DE1C4872C0EA31A805C7B4

Function 0102E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: b85e52ada6db7707644571cfc3a3d971e25add2f5784f383944e36f518e17b3d
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: B6F02832510A3697D7323A69DC08BDA379C9F962B5F100756F9E0971D0DB74D40186A5

Function 01034C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,01001129,00000000,?,01032E29,00000001,00000364,?,?,?,0102F2DE,01033863,010D1444,?,0101FDF5,?), ref: 01034CBE

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: da53890ad94fd76ddff4b8c87b6dc72c3181d3d51668c6a3c32e9b7ea677362b
Instruction ID: 3ae2598eb3a80bb3110f9cb10a3bd90aac16b090e6d20cf31d4b6c1b33a65daf
Opcode Fuzzy Hash: da53890ad94fd76ddff4b8c87b6dc72c3181d3d51668c6a3c32e9b7ea677362b
Instruction Fuzzy Hash: 20F0E93162523D67EBE15E669808F9A3BCCFFD26B0B044151EDD9EE184CF71D80146E0

Function 01033820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,010D1444,?,0101FDF5,?,?,0100A976,00000010,010D1440,010013FC,?,010013C6,?,01001129), ref: 01033852

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 3c78cd1d275693abb8cbeda30b1972f6d188bf8f1c7bda0bf95e55d1f15b9a01
Instruction ID: 8c3988d6472b7fb5d5e1bd6a95ba9f59276bf8f681f1716695118c59e237837d
Opcode Fuzzy Hash: 3c78cd1d275693abb8cbeda30b1972f6d188bf8f1c7bda0bf95e55d1f15b9a01
Instruction Fuzzy Hash: C8E0E53110533656FA712B6B9C44BDA3A8CBFC36B0F050060EDC49A490CF21D80182E5

Function 01004F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,010D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 01004F6D

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 9197561f84cbe66a4a7af8d64dfdedb45e22ae21e905669fde55b31a3aa01f08
Instruction ID: 30ff573a6c151b4b5a9f7931978c7d47ed80cff1bcd5980951f832a5860ed660
Opcode Fuzzy Hash: 9197561f84cbe66a4a7af8d64dfdedb45e22ae21e905669fde55b31a3aa01f08
Instruction Fuzzy Hash: 54F03071505752CFEB369F64D498836BBE4FF0421971089BEE3DAC2551C7319844CF14

Function 01092A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 01092A66

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: b8bf81be299c529a80f0839831e665310277eaa980e36d4700d022c33367a428
Instruction ID: b9de7dc3dcf5b10f7f939621f833d1d99b3855593eb8ec18ffe550f455da04d3
Opcode Fuzzy Hash: b8bf81be299c529a80f0839831e665310277eaa980e36d4700d022c33367a428
Instruction Fuzzy Hash: 6BE0DF77754116BBDB20EA30D8908FE734CEB302907000436A89AC6140DB38998186F0

Function 010030F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 0100314E

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 54b387bdf247c9c6866b0ee664bed250b27b7a9884dc5c81fc11d951c050d545
Instruction ID: fa3ada83ccc8c6cb7c4e51c1e964195ddc304be5ccfa6813aeb62e22a239474c
Opcode Fuzzy Hash: 54b387bdf247c9c6866b0ee664bed250b27b7a9884dc5c81fc11d951c050d545
Instruction Fuzzy Hash: 1FF0A070A00318AFEB639B24D8497DA7BFCBB01708F0040E9E6C896285DF755788CF41

Function 01002DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 01002DC4

Part of subcall function 01006B57: _wcslen.LIBCMT ref: 01006B6A

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: f4f67ac8f96c621921b3ef1ba53342bdb4f60d0a9303b1d787bb544159259ac5
Instruction ID: 93783b9116552d753a9e8733971c74eea7a703dcc1ce5c047e6ec1415b088544
Opcode Fuzzy Hash: f4f67ac8f96c621921b3ef1ba53342bdb4f60d0a9303b1d787bb544159259ac5
Instruction Fuzzy Hash: 53E0CDB2A001245BD721D6589C05FDA77DDDFC8790F0400B1FD49D7248D974ADC08650

Function 01002B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 01003837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 01003908

Part of subcall function 0100D730: GetInputState.USER32 ref: 0100D807

SetCurrentDirectoryW.KERNEL32(?), ref: 01002B6B

Part of subcall function 010030F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0100314E

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 1ea0deaca382be449aa8009f1477cba40aa519ca190107a9f7ae1a8160bb1baf
Instruction ID: 548a5bcb8271ec014f74871c759b8103efc80d8cc3c8841aa2950ba8783f2f97
Opcode Fuzzy Hash: 1ea0deaca382be449aa8009f1477cba40aa519ca190107a9f7ae1a8160bb1baf
Instruction Fuzzy Hash: 94E026317002460BE617BAB4A4205FDA349BBE0111F40053EE1C6471D2CE2586454311

Function 0104039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,01040704,?,?,00000000,?,01040704,00000000,0000000C), ref: 010403B7

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 078e0bd23928dfdceb01f2c2689dedc439b6a50758cb9b8e15312c301c7d3484
Instruction ID: 962212dcc86c61cc2d19c8bc0426fa74d25a44dcfa8eed9ea6213e48bdbb12d7
Opcode Fuzzy Hash: 078e0bd23928dfdceb01f2c2689dedc439b6a50758cb9b8e15312c301c7d3484
Instruction Fuzzy Hash: 06D06C3204010DBBDF128E84DD06EDA3BAAFB48714F014000BE5856060C736E821AB94

Function 01001CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 01001CBC

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: afdaf3f2903d908cc7497d6580b9783f230384db9e847112a6c126be954e0599
Instruction ID: 163c01718a6e4c178dc8d8664edeb8a3b07f1f989024542ab9263567558885d8
Opcode Fuzzy Hash: afdaf3f2903d908cc7497d6580b9783f230384db9e847112a6c126be954e0599
Instruction Fuzzy Hash: 40C09236281304EFF2348A84BD5AF107765B348B00F848001FA8AA95CBCBBB18A0EB50

Non-executed Functions

Function 01099576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 01019BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 01019BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0109961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0109965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0109969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 010996C9
SendMessageW.USER32 ref: 010996F2
GetKeyState.USER32(00000011), ref: 0109978B
GetKeyState.USER32(00000009), ref: 01099798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 010997AE
GetKeyState.USER32(00000010), ref: 010997B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 010997E9
SendMessageW.USER32 ref: 01099810
SendMessageW.USER32(?,00001030,?,01097E95), ref: 01099918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0109992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 01099941
SetCapture.USER32(?), ref: 0109994A
ClientToScreen.USER32(?,?), ref: 010999AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 010999BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 010999D6
ReleaseCapture.USER32 ref: 010999E1
GetCursorPos.USER32(?), ref: 01099A19
ScreenToClient.USER32(?,?), ref: 01099A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 01099A80
SendMessageW.USER32 ref: 01099AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 01099AEB
SendMessageW.USER32 ref: 01099B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 01099B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 01099B4A
GetCursorPos.USER32(?), ref: 01099B68
ScreenToClient.USER32(?,?), ref: 01099B75
GetParent.USER32(?), ref: 01099B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 01099BFA
SendMessageW.USER32 ref: 01099C2B
ClientToScreen.USER32(?,?), ref: 01099C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 01099CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 01099CDE
SendMessageW.USER32 ref: 01099D01
ClientToScreen.USER32(?,?), ref: 01099D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 01099D82

Part of subcall function 01019944: GetWindowLongW.USER32(?,000000EB), ref: 01019952

GetWindowLongW.USER32(?,000000F0), ref: 01099E05

Strings

F, xrefs: 01099D07
@GUI_DRAGID, xrefs: 0109997D

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: b1a834ffbbd7a63bd79d5fdef6b85c62a66e509dad6e99f7cadb79e5e650ddb1
Instruction ID: c76116e41380e2b2cc4c86dc5391a79bed4bfcb84e15bad76e8510159aa6cb33
Opcode Fuzzy Hash: b1a834ffbbd7a63bd79d5fdef6b85c62a66e509dad6e99f7cadb79e5e650ddb1
Instruction Fuzzy Hash: FB429F35608241AFEB21CF28C964AAABBE5FF4D318F10065DF6D5872A1D731A850DF91

Function 01094873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 010948F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 01094908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 01094927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0109494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0109495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0109497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 010949AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 010949D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 01094A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 01094A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 01094A7E
IsMenu.USER32(?), ref: 01094A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 01094AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 01094B20
GetWindowLongW.USER32(?,000000F0), ref: 01094B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 01094BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 01094C82
wsprintfW.USER32 ref: 01094CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 01094CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 01094CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 01094D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 01094D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 01094D5A

Strings

%d/%02d/%02d, xrefs: 01094CA8

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 5a3b049c3e17dbf82eeaea48d6f604527bc5f27d9d0d48c7a5d573f4c0209753
Instruction ID: 4e0b0e708496111faf5cb3a1d12e2a989c3996efc95f1d59877996d3119d41d9
Opcode Fuzzy Hash: 5a3b049c3e17dbf82eeaea48d6f604527bc5f27d9d0d48c7a5d573f4c0209753
Instruction Fuzzy Hash: 1712FF71A00215ABFF258F28CE68FAE7BF8EF49710F004159F595DA2D4DB789942CB50

Function 0101F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0101F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0105F474
IsIconic.USER32(00000000), ref: 0105F47D
ShowWindow.USER32(00000000,00000009), ref: 0105F48A
SetForegroundWindow.USER32(00000000), ref: 0105F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0105F4AA
GetCurrentThreadId.KERNEL32 ref: 0105F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0105F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0105F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0105F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0105F4DE
SetForegroundWindow.USER32(00000000), ref: 0105F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0105F4F6
keybd_event.USER32(00000012,00000000), ref: 0105F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0105F50B
keybd_event.USER32(00000012,00000000), ref: 0105F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0105F519
keybd_event.USER32(00000012,00000000), ref: 0105F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0105F528
keybd_event.USER32(00000012,00000000), ref: 0105F52D
SetForegroundWindow.USER32(00000000), ref: 0105F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0105F557

Strings

Shell_TrayWnd, xrefs: 0105F46F

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 200f21a270f7e130d22e2cc8639abf5b85bdf3825dfd83cf571f954bf49c5854
Instruction ID: 0b37604a0b3add8f33975f3cb01b99c4d0615fe89cdda3af65ebdf7b5cc6c1d2
Opcode Fuzzy Hash: 200f21a270f7e130d22e2cc8639abf5b85bdf3825dfd83cf571f954bf49c5854
Instruction Fuzzy Hash: 68315E71E40218BBFB316BB55D4AFBF7EACFB44B50F100465FA44E61C1C6BA5940ABA0

Function 01061201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 010616C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0106170D
Part of subcall function 010616C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0106173A
Part of subcall function 010616C3: GetLastError.KERNEL32 ref: 0106174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 01061286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 010612A8
CloseHandle.KERNEL32(?), ref: 010612B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 010612D1
GetProcessWindowStation.USER32 ref: 010612EA
SetProcessWindowStation.USER32(00000000), ref: 010612F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 01061310

Part of subcall function 010610BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,010611FC), ref: 010610D4
Part of subcall function 010610BF: CloseHandle.KERNEL32(?,?,010611FC), ref: 010610E9

Strings

, xrefs: 0106125A
winsta0, xrefs: 010612CC
default, xrefs: 0106130B

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: fef1b4ee3568ee942b32a7bbf03689ea02632cdce2a2772819ad380d0d9e0e67
Instruction ID: 59d8b35b8c9407f6d810d1cd8723f64c93f5f0b837502cef9a1a9e7ac4a3e316
Opcode Fuzzy Hash: fef1b4ee3568ee942b32a7bbf03689ea02632cdce2a2772819ad380d0d9e0e67
Instruction Fuzzy Hash: 20818A71A00209ABEF219FA8DD48BEE7FFDFF48704F044169FA90A6190DB759944CB61

Function 01060B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 010610F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 01061114
Part of subcall function 010610F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,01060B9B,?,?,?), ref: 01061120
Part of subcall function 010610F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,01060B9B,?,?,?), ref: 0106112F
Part of subcall function 010610F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,01060B9B,?,?,?), ref: 01061136
Part of subcall function 010610F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0106114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 01060BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 01060C00
GetLengthSid.ADVAPI32(?), ref: 01060C17
GetAce.ADVAPI32(?,00000000,?), ref: 01060C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 01060C6D
GetLengthSid.ADVAPI32(?), ref: 01060C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 01060C8C
HeapAlloc.KERNEL32(00000000), ref: 01060C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 01060CB4
CopySid.ADVAPI32(00000000), ref: 01060CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 01060CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 01060D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 01060D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 01060D45
HeapFree.KERNEL32(00000000), ref: 01060D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 01060D55
HeapFree.KERNEL32(00000000), ref: 01060D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 01060D65
HeapFree.KERNEL32(00000000), ref: 01060D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 01060D78
HeapFree.KERNEL32(00000000), ref: 01060D7F

Part of subcall function 01061193: GetProcessHeap.KERNEL32(00000008,01060BB1,?,00000000,?,01060BB1,?), ref: 010611A1
Part of subcall function 01061193: HeapAlloc.KERNEL32(00000000,?,00000000,?,01060BB1,?), ref: 010611A8
Part of subcall function 01061193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,01060BB1,?), ref: 010611B7

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: ce21c3b279daa428ea23cacfe376397832456e1e5d6c5997c7c8f886a34eb815
Instruction ID: 950fc548b95eca12dce6605ddd3ffe21034c8eb6c63b2a66e9a743f4352785e8
Opcode Fuzzy Hash: ce21c3b279daa428ea23cacfe376397832456e1e5d6c5997c7c8f886a34eb815
Instruction Fuzzy Hash: E4716E7190020AAFEF10DFA8DD44BEEBBBCBF15310F044655FA94A6184D776A905CB60

Function 0107EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0109CC08), ref: 0107EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0107EB37
GetClipboardData.USER32(0000000D), ref: 0107EB43
CloseClipboard.USER32 ref: 0107EB4F
GlobalLock.KERNEL32(00000000), ref: 0107EB87
CloseClipboard.USER32 ref: 0107EB91
GlobalUnlock.KERNEL32(00000000), ref: 0107EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0107EBC9
GetClipboardData.USER32(00000001), ref: 0107EBD1
GlobalLock.KERNEL32(00000000), ref: 0107EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0107EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0107EC38
GetClipboardData.USER32(0000000F), ref: 0107EC44
GlobalLock.KERNEL32(00000000), ref: 0107EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0107EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0107EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0107ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0107ECF3
CountClipboardFormats.USER32 ref: 0107ED14
CloseClipboard.USER32 ref: 0107ED59

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 803ceb715a21769dcdfcf61ec26397b7aa185d3820f092fc8638bd8fc6724651
Instruction ID: 1da2aa85337991a999678ab2404eb92e3a5a5a1c0e74e6827b7400e691ebba00
Opcode Fuzzy Hash: 803ceb715a21769dcdfcf61ec26397b7aa185d3820f092fc8638bd8fc6724651
Instruction Fuzzy Hash: 8D61EF34A042029FE311EF28D994F7A7BE4BF84704F444599E5C69B2D1DB32E905CBA2

Function 0107698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 010769BE
FindClose.KERNEL32(00000000), ref: 01076A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 01076A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 01076A75

Part of subcall function 01009CB3: _wcslen.LIBCMT ref: 01009CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 01076AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 01076ADF

Strings

%4d, xrefs: 01076BB1
%03d, xrefs: 01076DA2
%4d%02d%02d%02d%02d%02d%03d, xrefs: 01076B32
%02d, xrefs: 01076C00, 01076C0A, 01076C5A, 01076CAA, 01076CFA, 01076D4A
%4d%02d%02d%02d%02d%02d, xrefs: 01076B6A

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 5f52da7c4340472f45e0d3df2d3f4b7580d9131ac9a1857d23679787408bd48c
Instruction ID: 7e3716ee8aec8a33f1bcd3cc6b9f831d13c5387e212e1fbc235941b20cc26cdf
Opcode Fuzzy Hash: 5f52da7c4340472f45e0d3df2d3f4b7580d9131ac9a1857d23679787408bd48c
Instruction Fuzzy Hash: 8ED17071908301AEE311EBA4C991EAFB7ECBF98704F40491DF5C987190EB35DA48CB62

Function 01079642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 01079663
GetFileAttributesW.KERNEL32(?), ref: 010796A1
SetFileAttributesW.KERNEL32(?,?), ref: 010796BB
FindNextFileW.KERNEL32(00000000,?), ref: 010796D3
FindClose.KERNEL32(00000000), ref: 010796DE
FindFirstFileW.KERNEL32(*.*,?), ref: 010796FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0107974A
SetCurrentDirectoryW.KERNEL32(010C6B7C), ref: 01079768
FindNextFileW.KERNEL32(00000000,00000010), ref: 01079772
FindClose.KERNEL32(00000000), ref: 0107977F
FindClose.KERNEL32(00000000), ref: 0107978F

Strings

*.*, xrefs: 010796F5

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: bdd4563c559e3907ef0a2ea7bac71509f42e825c61c36a170db278a644d3ce10
Instruction ID: 748316519cf6f85dea16ea713c0017e9230296191179b4a7afd7bb43bdfa3966
Opcode Fuzzy Hash: bdd4563c559e3907ef0a2ea7bac71509f42e825c61c36a170db278a644d3ce10
Instruction Fuzzy Hash: A131C532D412196BEF24DFB9DD18ADE77ECAF49234F004199E985E2190DB35DA44CB28

Function 0107979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 010797BE
FindNextFileW.KERNEL32(00000000,?), ref: 01079819
FindClose.KERNEL32(00000000), ref: 01079824
FindFirstFileW.KERNEL32(*.*,?), ref: 01079840
SetCurrentDirectoryW.KERNEL32(?), ref: 01079890
SetCurrentDirectoryW.KERNEL32(010C6B7C), ref: 010798AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 010798B8
FindClose.KERNEL32(00000000), ref: 010798C5
FindClose.KERNEL32(00000000), ref: 010798D5

Part of subcall function 0106DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0106DB00

Strings

*.*, xrefs: 0107983B

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 33f73ce4c9f1b731269c37c0f7a16a5ccf76c06b067606dde891e1a84a03be82
Instruction ID: e9daff1ef1a98644523b127fe06b944effbccd19fca19afd87553f1f5d63e386
Opcode Fuzzy Hash: 33f73ce4c9f1b731269c37c0f7a16a5ccf76c06b067606dde891e1a84a03be82
Instruction Fuzzy Hash: 5B31F831D00219AAFF60DFB8DC58ADE77ACAF46234F1441D9E5D4A2190DB35DA84CB28

Function 0108BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0108C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0108B6AE,?,?), ref: 0108C9B5
Part of subcall function 0108C998: _wcslen.LIBCMT ref: 0108C9F1
Part of subcall function 0108C998: _wcslen.LIBCMT ref: 0108CA68
Part of subcall function 0108C998: _wcslen.LIBCMT ref: 0108CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0108BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0108BFA9
RegCloseKey.ADVAPI32(00000000), ref: 0108BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0108C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0108C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0108C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0108C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0108C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0108C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0108C382
RegCloseKey.ADVAPI32(00000000), ref: 0108C38F

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 2ed51229684efa91b2281a5d539968d7294cb016ea82ce0de405b87225d6b1aa
Instruction ID: dce54a995a761f4ac1c942cfecf7bda320ee06750640c4d8240d6960a958ce83
Opcode Fuzzy Hash: 2ed51229684efa91b2281a5d539968d7294cb016ea82ce0de405b87225d6b1aa
Instruction Fuzzy Hash: 16025D706082019FE755DF28C594E6ABBF5AF89314F08C49DE4C9CB2A2DB31ED46CB61

Function 01078195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 01078257
SystemTimeToFileTime.KERNEL32(?,?), ref: 01078267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 01078273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 01078310
SetCurrentDirectoryW.KERNEL32(?), ref: 01078324
SetCurrentDirectoryW.KERNEL32(?), ref: 01078356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0107838C
SetCurrentDirectoryW.KERNEL32(?), ref: 01078395

Strings

*.*, xrefs: 0107839B

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 86160765af82ab5f3cd3c094fe7b16c2a6ff5f87d29eaff19e811081964ea4ad
Instruction ID: 85d7ae68eeacfa4ee385b8e8ee49ec0886d2ba6208975f1f7c7f44ee0c75042e
Opcode Fuzzy Hash: 86160765af82ab5f3cd3c094fe7b16c2a6ff5f87d29eaff19e811081964ea4ad
Instruction Fuzzy Hash: 1B618BB29043069FD710EF64C8889EEB3E8FF99214F04895EE9C9C7250DB35E945CB96

Function 0106D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 01003AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,01003A97,?,?,01002E7F,?,?,?,00000000), ref: 01003AC2

Part of subcall function 0106E199: GetFileAttributesW.KERNEL32(?,0106CF95), ref: 0106E19A

FindFirstFileW.KERNEL32(?,?), ref: 0106D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0106D1DD
MoveFileW.KERNEL32(?,?), ref: 0106D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0106D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0106D237

Part of subcall function 0106D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0106D21C,?,?), ref: 0106D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0106D253
FindClose.KERNEL32(00000000), ref: 0106D264

Strings

\*.*, xrefs: 0106D0CD, 0106D0D6, 0106D0EB

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 2d9c529fc5cce1cae70bc5fcf0b3e766ea20f47792de512922015b560b775f2c
Instruction ID: 7cd6a8584df50ab44b0e204e8eac5b98064bacd12e9e7650e1f61d85c6b0dd1e
Opcode Fuzzy Hash: 2d9c529fc5cce1cae70bc5fcf0b3e766ea20f47792de512922015b560b775f2c
Instruction Fuzzy Hash: 5F617F31D0110EAFEF16EBE4CA919EEB7B9AF24200F6041A5D5C577191EB319F09CB60

Function 0107ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0107ED91
EmptyClipboard.USER32 ref: 0107ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0107EDAC
CloseClipboard.USER32 ref: 0107EEA3

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 8a1c22d4b0c68a2483c2c94ea6e5b4a13e5126f20477203ced7be44427bb0e01
Instruction ID: d83e1b7bfd073b9ee39bba8c4fc3a1bbec426ba7878b32fdebb06ede772e5be1
Opcode Fuzzy Hash: 8a1c22d4b0c68a2483c2c94ea6e5b4a13e5126f20477203ced7be44427bb0e01
Instruction Fuzzy Hash: AA41C035A056119FE321DF19D458B69BBE4FF44318F04C4D9E49A8B6A2CB3AFC41CB91

Function 0106E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 010616C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0106170D
Part of subcall function 010616C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0106173A
Part of subcall function 010616C3: GetLastError.KERNEL32 ref: 0106174A

ExitWindowsEx.USER32(?,00000000), ref: 0106E932

Strings

, xrefs: 0106E95C
@, xrefs: 0106E925
, xrefs: 0106E920
SeShutdownPrivilege, xrefs: 0106E902

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: bdae66b77797c0f4b759c1f40817727a668cbfd19f4011b66b415dd08e897993
Instruction ID: 5d6ad02ee4c4339f75a9b477254c014b09256fe6901240733263979419a3e438
Opcode Fuzzy Hash: bdae66b77797c0f4b759c1f40817727a668cbfd19f4011b66b415dd08e897993
Instruction Fuzzy Hash: 5C012636A10311ABFB64A2B8DC85BFF73ACAF14740F040421F9C2E21C1D5A65C4082B0

Function 01081204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 01081276
WSAGetLastError.WSOCK32 ref: 01081283
bind.WSOCK32(00000000,?,00000010), ref: 010812BA
WSAGetLastError.WSOCK32 ref: 010812C5
closesocket.WSOCK32(00000000), ref: 010812F4
listen.WSOCK32(00000000,00000005), ref: 01081303
WSAGetLastError.WSOCK32 ref: 0108130D
closesocket.WSOCK32(00000000), ref: 0108133C

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: db0ec92627e9e12b52ad221b34a571209f0a1b23f372931ae3d2332900892c47
Instruction ID: 068cfe1e14cb57c2c66b6917eb612af218e471f4cb9864052eb1066e768dd248
Opcode Fuzzy Hash: db0ec92627e9e12b52ad221b34a571209f0a1b23f372931ae3d2332900892c47
Instruction Fuzzy Hash: 1A418771A041119FE710EF28C594B6ABBE5BF45318F1881C8D9D68F2D6C775EC82CBA1

Function 0103B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0103B9D4
_free.LIBCMT ref: 0103B9F8
_free.LIBCMT ref: 0103BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,010A3700), ref: 0103BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,010D121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0103BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,010D1270,000000FF,?,0000003F,00000000,?), ref: 0103BC36
_free.LIBCMT ref: 0103BD4B

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: ce654cd7b30e061b7fd1bede477be4a2f84eb71078116a2fb0495d052fd99ce9
Instruction ID: ea850cf9f8f43be8c8b1932ff8288ad895a431db25d2920c51ea28a276e7ed1b
Opcode Fuzzy Hash: ce654cd7b30e061b7fd1bede477be4a2f84eb71078116a2fb0495d052fd99ce9
Instruction Fuzzy Hash: 3EC12471A04209AFDB359F6D9850AFE7FECEFC6218F14419AD8D4DB245EB318A42CB50

Function 0106D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 01003AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,01003A97,?,?,01002E7F,?,?,?,00000000), ref: 01003AC2

Part of subcall function 0106E199: GetFileAttributesW.KERNEL32(?,0106CF95), ref: 0106E19A

FindFirstFileW.KERNEL32(?,?), ref: 0106D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0106D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0106D481
FindClose.KERNEL32(00000000), ref: 0106D498
FindClose.KERNEL32(00000000), ref: 0106D4A1

Strings

\*.*, xrefs: 0106D3F2

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 27e0d738e45dd08ef080bfee55de02f0be28755cce08262c5abca8cf674c5845
Instruction ID: 81bbb02fcff25869bc485b58137953aba8d06c77558ac7639cd272a45064b7bc
Opcode Fuzzy Hash: 27e0d738e45dd08ef080bfee55de02f0be28755cce08262c5abca8cf674c5845
Instruction Fuzzy Hash: 823181715083469FD316EF64C8908EFB7ECBEA1214F444A5DF4D5931D1EF21AA09CB62

Function 0103E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0103E645

Strings

1#IND, xrefs: 0103F83D
1#SNAN, xrefs: 0103F844
1#INF, xrefs: 0103F852
1#QNAN, xrefs: 0103F84B

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 6afc832475fcb7885d98a14df5ec846c3194bd2d4e6309d065b48b5e0e42429d
Instruction ID: cefbec71ae54f67a8cbea919d58228e9dfa651c94ab63ce39865d7d437c809db
Opcode Fuzzy Hash: 6afc832475fcb7885d98a14df5ec846c3194bd2d4e6309d065b48b5e0e42429d
Instruction Fuzzy Hash: 62C24B71E046298FDB65CE28DD407EAB7F9EB88304F1442EAD58DE7241E774AE818F41

Function 0107648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 010764DC
CoInitialize.OLE32(00000000), ref: 01076639
CoCreateInstance.OLE32(0109FCF8,00000000,00000001,0109FB68,?), ref: 01076650
CoUninitialize.OLE32 ref: 010768D4

Strings

.lnk, xrefs: 010764BA, 01076524, 010765E0

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 375256cc8e9f04c9581f6eac06c318d05803d7595b1c77aa7ab30dec3dfe3e11
Instruction ID: 7737f6cd4dbf60e492f6adc3bf2b7e5a2c81e572ef6536c6165a7fb1d6cf0194
Opcode Fuzzy Hash: 375256cc8e9f04c9581f6eac06c318d05803d7595b1c77aa7ab30dec3dfe3e11
Instruction Fuzzy Hash: 46D14A719087029FE315EF24C890EABB7E8FF98704F40495DF5968B291DB71E905CB92

Function 01079B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 01009CB3: _wcslen.LIBCMT ref: 01009CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 01079B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 01079C8B

Part of subcall function 01073874: GetInputState.USER32 ref: 010738CB
Part of subcall function 01073874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 01073966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 01079BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 01079C75

Strings

*.*, xrefs: 01079B5D

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 6ace865897e5944cd219d28f9d38ce26d5f12ba812a54e7529e2bad8acd6a5c9
Instruction ID: 5590f53aadd2f770d33114372a56f20667969d90fb3d6a8ae79e64d83fc26d9b
Opcode Fuzzy Hash: 6ace865897e5944cd219d28f9d38ce26d5f12ba812a54e7529e2bad8acd6a5c9
Instruction Fuzzy Hash: 9841C271D0020EAFEF55DF68C995AEEBBF4FF05324F104099E585A6290EB319A84CF64

Function 0101997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 01019BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 01019BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 01019A4E
GetSysColor.USER32(0000000F), ref: 01019B23
SetBkColor.GDI32(?,00000000), ref: 01019B36

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 4b6961976c17e8039367e2226cf32855d1e28d4458df4927e5812b28171e97e7
Instruction ID: e274a35c3b624673f770c35cffe9922fc7081283edc94256b1cd730d88b45b4f
Opcode Fuzzy Hash: 4b6961976c17e8039367e2226cf32855d1e28d4458df4927e5812b28171e97e7
Instruction Fuzzy Hash: F8A14D71204045BEFBB5996C8CB8DBF3ADDEB46308B854149FAC2C698DCA2D9905D3B1

Function 01081806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0108304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0108307A
Part of subcall function 0108304E: _wcslen.LIBCMT ref: 0108309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0108185D
WSAGetLastError.WSOCK32 ref: 01081884
bind.WSOCK32(00000000,?,00000010), ref: 010818DB
WSAGetLastError.WSOCK32 ref: 010818E6
closesocket.WSOCK32(00000000), ref: 01081915

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 662b2e8e390a633e4f2989b33c9a032a6ca29ab65276a7eacfbf960ea8010249
Instruction ID: c00748e3a456b2a688984409462eda21a8bd492167697cdab6c557f6aba207df
Opcode Fuzzy Hash: 662b2e8e390a633e4f2989b33c9a032a6ca29ab65276a7eacfbf960ea8010249
Instruction Fuzzy Hash: 3951C671A00211AFE711AF24C885FAA77E5AF44718F44809CE9D95F3C6CB75AD42CBA1

Function 0107CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0107C21E,00000000), ref: 0107CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0107CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0107C21E,00000000), ref: 0107CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0107C21E,00000000), ref: 0107CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0107C21E,00000000), ref: 0107CFF2

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 2cea51e8825c213294d139736fb023f454848cca8597d529c1f45844eb987c80
Instruction ID: de344c217cbea0fa371b42fd66a5d916d5f69828ac4c5e7c9cafbddc4a0ba69e
Opcode Fuzzy Hash: 2cea51e8825c213294d139736fb023f454848cca8597d529c1f45844eb987c80
Instruction Fuzzy Hash: 14315271900606EFFB60DFA9DA849AFBBF8FF14250B10446EE596D2140D734AA41CB64

Function 01091C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 01091CC0
IsWindowEnabled.USER32 ref: 01091CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 01091CDB
IsIconic.USER32 ref: 01091CE9
IsZoomed.USER32 ref: 01091CF7

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: a09571ab573bd397722f79791e44e290992ecd7e97699e025e9ffb64bb67e300
Instruction ID: b6a11f44118b5d19219e125a4c056d533d28aea32a2732faa17e6e75cdb68cf9
Opcode Fuzzy Hash: a09571ab573bd397722f79791e44e290992ecd7e97699e025e9ffb64bb67e300
Instruction Fuzzy Hash: FF21E7717002465FFB219F1AD464B6A7BE5FF95324F18809CE8CA8B341CB76D842DB90

Function 01008060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 01045DF0
VUUU, xrefs: 0100843C
ERCP, xrefs: 0100813C
VUUU, xrefs: 010083FA
VUUU, xrefs: 010083E8

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 68b2db917b8885d9b7371bd5b8c934c73fa108e044094cbec9278f8747ee992a
Instruction ID: 1bd59ce98eee94a9ecb79195b62d887ca279ca1fe25f0ce443535c3794e13a27
Opcode Fuzzy Hash: 68b2db917b8885d9b7371bd5b8c934c73fa108e044094cbec9278f8747ee992a
Instruction Fuzzy Hash: 86A283B0E0021ACBEF66CF58C9807EEB7B1BF45310F1581AAD995A7285E7719D81CF90

Function 0106AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 0106ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0106AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0106AC74
SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 0106ACC6

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 694ae00ab99a155db063e2bd3eb02f6509ae0c71425a2a79c453e5a1ba033764
Instruction ID: 52ce0ee31acb812739a7c7c0796b2ad7f8858bb304455affa2fb53f8197de6df
Opcode Fuzzy Hash: 694ae00ab99a155db063e2bd3eb02f6509ae0c71425a2a79c453e5a1ba033764
Instruction Fuzzy Hash: 0331F430B0061CEFFF35AA6988147FE7AEDAB89330F04425AE4C5A31D9C37995858791

Function 01068298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 010682AA

Strings

(, xrefs: 010682F0
|, xrefs: 010682DA

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: bf2d707bbcceceef2556091e2536306c5bbd5f89df537f98cc5a0bea7eda6662
Instruction ID: 1ebeac3659200e9fb3eb5384d7df28e8a192d5bf48c7d28248fb865c3f6c42bd
Opcode Fuzzy Hash: bf2d707bbcceceef2556091e2536306c5bbd5f89df537f98cc5a0bea7eda6662
Instruction Fuzzy Hash: AB323574A007059FDB28CF59C480AAAB7F4FF48710B15C5AEE59ADB3A1E770E981CB44

Function 01075C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 01075CC1
FindNextFileW.KERNEL32(00000000,?), ref: 01075D17
FindClose.KERNEL32(?), ref: 01075D5F

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 9af5603efbb254be7f6e1041e4e3ae1fa750b672ee8204409667b72d7ba0c8cf
Instruction ID: 07d768dd2499bd5658ffa81b27b6f2ca9ebfe0fbcb8877bcda3743f490b9bdf6
Opcode Fuzzy Hash: 9af5603efbb254be7f6e1041e4e3ae1fa750b672ee8204409667b72d7ba0c8cf
Instruction Fuzzy Hash: 2F51AA74A006029FD724DF28C894ADABBE4FF49314F14859DE99A8B3A1CB31FD05CB91

Function 01032622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0103271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 01032724
UnhandledExceptionFilter.KERNEL32(?), ref: 01032731

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 9b8e6385c3c2862c7bfaf4c89259045dd5e2a79e3216b3d1a81b667971df3e02
Instruction ID: 09f6d2e16965acd54b94c3d6c992fad72b7274ca83d52f0a064955c75b1b7dd1
Opcode Fuzzy Hash: 9b8e6385c3c2862c7bfaf4c89259045dd5e2a79e3216b3d1a81b667971df3e02
Instruction Fuzzy Hash: 0C31E97491122D9BCB21DF68D9887DCBBB8BF08310F5042DAE84CA7250E7349F818F44

Function 010751CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 010751DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 01075238
SetErrorMode.KERNEL32(00000000), ref: 010752A1

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 6d09bb20bed6c80af7373af2a793a5730a641c2e524dee1f94b8d8f2f4133d3b
Instruction ID: b135956773a118aa4565642b100c17c680368eaac472727f40313630da0ddb93
Opcode Fuzzy Hash: 6d09bb20bed6c80af7373af2a793a5730a641c2e524dee1f94b8d8f2f4133d3b
Instruction Fuzzy Hash: 42317C74A001089FEB00DF54C884AEDBBB4FF09314F048099E989AB391CB36E846CB51

Function 010616C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0101FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 01020668
Part of subcall function 0101FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 01020685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0106170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0106173A
GetLastError.KERNEL32 ref: 0106174A

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: f60a7fd820106d438c7a0991fb9fd1b1f2b02e44fcaa4c9de405496db3ee38cb
Instruction ID: dd915d59183855b0768ab53b505716179b6da77b2e5ca7cc45f0d546cd0830c7
Opcode Fuzzy Hash: f60a7fd820106d438c7a0991fb9fd1b1f2b02e44fcaa4c9de405496db3ee38cb
Instruction Fuzzy Hash: 681191B2804305AFE728AF54EC86DAABBFDFB44714B24851EE09657244EB75BC458B20

Function 0106D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0106D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0106D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0106D650

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 8724815074f38f6af37fa749bdbb6fcdced29e1da53e6f06d36b016cd7f3d14f
Instruction ID: 02886467d1344a5ca0a08baa5aa363c236f05db5db8de8ae535636e92b831cf5
Opcode Fuzzy Hash: 8724815074f38f6af37fa749bdbb6fcdced29e1da53e6f06d36b016cd7f3d14f
Instruction Fuzzy Hash: EA11A171E01228BFEB208F98DD45FAFBFBCEB49B50F108151F944E7280C2704A018BA1

Function 01061663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0106168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 010616A1
FreeSid.ADVAPI32(?), ref: 010616B1

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: e3d32ff79011997e257a55333b24240c0017237d5bca577c644bb6c7a6a7bdce
Instruction ID: b92f7eca7b64f7c88f9c44b925bc931d13767e8f5ddba7ede1714271fcd708d0
Opcode Fuzzy Hash: e3d32ff79011997e257a55333b24240c0017237d5bca577c644bb6c7a6a7bdce
Instruction Fuzzy Hash: DEF01775D5030DBBEF00DFE4D989EAEBBBCFB08604F5045A5F501E2181E775AA548B50

Function 0103C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0103C36C

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: ef601a13b409bc8d50b950ba04f01b2945ae86d4428d24faf7affc6aef70d665
Instruction ID: 2e0a00d6bd2cf6a52ab19f44a46579f1e1777eef52db172fc7f00f6ccedc8fb7
Opcode Fuzzy Hash: ef601a13b409bc8d50b950ba04f01b2945ae86d4428d24faf7affc6aef70d665
Instruction Fuzzy Hash: 1C4128769002196FEB209FB9CD48EAB77BCEBC4314F1042AAF955E7180E6719E418B50

Function 0105D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0105D28C

Strings

X64, xrefs: 0105D2A8

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: e7209170e29cdf9a374131fcebc099131ec260932f880e8888e7447e3f154347
Instruction ID: c190bc0d0dde97c0cc35413513bfc26128b7fbf072e151207287b4651d688c5d
Opcode Fuzzy Hash: e7209170e29cdf9a374131fcebc099131ec260932f880e8888e7447e3f154347
Instruction Fuzzy Hash: 90D0C9B480111DEECB90CA90DC88DDEB37CBB14345F000152F546A2000D77495488F20

Function 0102CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: a606b729c2fd9367f4d78923e1811e60f908f66bd23e9733792f320a0b86ebcb
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 41023D71E001299FEF54CFA9C9806ADFBF1EF48314F2581AAD959E7381D731AA41CB80

Function 010768EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 01076918
FindClose.KERNEL32(00000000), ref: 01076961

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: d12fd8385f35618edb18a2f93d052c1e5334a94d001c9a06b12901f5eb3e0d4c
Instruction ID: f69ebe25c21f81e018763d58ff19d38c5afb835942d0355c06fa8ca1ca201dc0
Opcode Fuzzy Hash: d12fd8385f35618edb18a2f93d052c1e5334a94d001c9a06b12901f5eb3e0d4c
Instruction Fuzzy Hash: C311B9715046019FE710DF29D484A56BBE4FF85328F04C69DE4A98F792CB35EC45CB91

Function 010737B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,01084891,?,?,00000035,?), ref: 010737E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,01084891,?,?,00000035,?), ref: 010737F4

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: c75507aca5f29834781a9a55aba798403edeb65f61813d8d49bd9d6bc79770fb
Instruction ID: cca9d6c992b989bb0887166bdbebff2c092b414bb98417542d0492f36074404b
Opcode Fuzzy Hash: c75507aca5f29834781a9a55aba798403edeb65f61813d8d49bd9d6bc79770fb
Instruction Fuzzy Hash: A1F0E571A042292BFB3016668C8CFEB7BAEFFC4761F0001B5F549D2285DA609944C7B0

Function 0106B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0106B25D
keybd_event.USER32(?,75A4C0D0,?,00000000), ref: 0106B270

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 53ec3939b56b8501e1ece18dacd2c7ffb260b0afa105529bd6c2d92a68dbe422
Instruction ID: 4830340361159454ff1098d05b2331928d3eea9e458acceea37ca8bf895b72be
Opcode Fuzzy Hash: 53ec3939b56b8501e1ece18dacd2c7ffb260b0afa105529bd6c2d92a68dbe422
Instruction Fuzzy Hash: 64F01D7190428EABEB159FA4C805BAE7FB4FF04305F008059F995A5192D77982119F94

Function 010610BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,010611FC), ref: 010610D4
CloseHandle.KERNEL32(?,?,010611FC), ref: 010610E9

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 866ce7626b930f804066b8d18122bd2be78256b2839cb1707f1abbb389f71bf2
Instruction ID: 94fbb4453bf487f89ed7c5e2d186f58fffb2a7372e7361c69f9114312dae8ab5
Opcode Fuzzy Hash: 866ce7626b930f804066b8d18122bd2be78256b2839cb1707f1abbb389f71bf2
Instruction Fuzzy Hash: 35E04F32008601AEF7252B11FD05EB77BE9FB04310F10881DF5E5804B4DB766CA0DB10

Function 0100CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 01050C40

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: 1095b5651fc51cf2c8a4a902360e601731eb75ae35d81f5fd0eac02b4d0c4470
Instruction ID: aa0c98e164668f5d7374119913a97d8eaf9b1cee5dd9b6cb172148cc15d14172
Opcode Fuzzy Hash: 1095b5651fc51cf2c8a4a902360e601731eb75ae35d81f5fd0eac02b4d0c4470
Instruction Fuzzy Hash: 2A32BF70900209DBFF56DF94CA80AFEBBB4FF15304F148199E886AB2C5DB35A945CB61

Function 0103676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,01036766,?,?,00000008,?,?,0103FEFE,00000000), ref: 01036998

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 79e1d4042471ab962a3bbfd16a6a9bbe36f10bf8574c2b95e2e673639a9408d4
Instruction ID: acd5cbb4a66e27dfc5f0a79abc57255eaba5b15eae751315aa86bc8d567f5f0d
Opcode Fuzzy Hash: 79e1d4042471ab962a3bbfd16a6a9bbe36f10bf8574c2b95e2e673639a9408d4
Instruction Fuzzy Hash: 5CB14C71510608AFE755CF2CC486BA47BE4FF85364F258698E9D9CF2A1C336DA81CB40

Function 0101B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0105851F

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 10b2663a6c0a82044e03e5aa81674f120b425ddaa7d1794c9d98f5f3f800a582
Instruction ID: 90b4144b523d332189be84e8a74b8bc8ce24f69664b91cf619eef975dd57f21e
Opcode Fuzzy Hash: 10b2663a6c0a82044e03e5aa81674f120b425ddaa7d1794c9d98f5f3f800a582
Instruction Fuzzy Hash: 8A122075A002299BDB55CF59C8806EEBBF5FF48310F14C19AEC89EB255DB349A81CF90

Function 0107EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0107EABD

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 56dde146683878c4ad9884d52035e4d58f0e205e4a3a81bf13cb6b51ce6b54c7
Instruction ID: 54afa48c85ac447a18144e281e445163389756ebd794ed254f471a1edbc2b168
Opcode Fuzzy Hash: 56dde146683878c4ad9884d52035e4d58f0e205e4a3a81bf13cb6b51ce6b54c7
Instruction Fuzzy Hash: 59E04F75200205AFE710EF59D404E9AF7E8BF98760F00849AFC89C7390DA71F8408B95

Function 0106E355 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 0106E37E

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: b487380381518fb7151ebb3f8cb55d55232eee50c99dbcc32b7793af283e21f1
Instruction ID: 7c5a09d526209e13f2eebfd59c6e9ecfdc32be389074e3f093d4b1b87b7f147d
Opcode Fuzzy Hash: b487380381518fb7151ebb3f8cb55d55232eee50c99dbcc32b7793af283e21f1
Instruction Fuzzy Hash: 77D05EFE5A03113DFEBD8A3CCA3FF7A2A8DF301580F40D789B2C189589E682A8444425

Function 010209D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,010203EE), ref: 010209DA

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: d793bac3b62337d43aeacc88bdddc54db62ab166d6ccc944b297f869c1cf4d3e
Instruction ID: 3b84146b6be6f4f003b0991bb940aa8164e31ed5980b499758dac44affa577cc
Opcode Fuzzy Hash: d793bac3b62337d43aeacc88bdddc54db62ab166d6ccc944b297f869c1cf4d3e
Instruction Fuzzy Hash:

Function 0102781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0102798B

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: b9690e5d3b1a1df39aa30333583558d143ab75a92b1d397d4f54644a3c13acd7
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 6B519A717807365BFFB9857C8855BFF7BC99B72200F08058ADAC6D7282C695EA01C356

Function 01036DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3bd28568f8995c6766452243511cfb169322d2f797c7135cb441bdb11431a61
Instruction ID: ef1e35af44b1b47d1940f3ca83415e4a49f82c4825204647629e50d328b83b81
Opcode Fuzzy Hash: b3bd28568f8995c6766452243511cfb169322d2f797c7135cb441bdb11431a61
Instruction Fuzzy Hash: 8A323172D29F414DD7639538C822335A68DAFA73C5F55C737E89AB5D9AEB2AC0C34200

Function 0101CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 003b57287a6df42d7dc09ea4b5bd7f9c6ad415f3fb0ba14a7ba93dd0b7d106a7
Instruction ID: 648a94b18dd1a594194049410eb5a3ea7c2e686f748be0d2e72f85b1bf01e1f7
Opcode Fuzzy Hash: 003b57287a6df42d7dc09ea4b5bd7f9c6ad415f3fb0ba14a7ba93dd0b7d106a7
Instruction Fuzzy Hash: 42321531A003498BFFA4CA6CC6946BE7FE9EB45304F1885AADDC5DB285E234DD81CB51

Function 01007920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa5871d188038f9f92a2bd6034b6394e88b97c6178b369f41ff629777d573a2b
Instruction ID: 25b42b62c454fac18d40335d7eec2bd023c20f6c032791fe5c0ed7671ccaa361
Opcode Fuzzy Hash: aa5871d188038f9f92a2bd6034b6394e88b97c6178b369f41ff629777d573a2b
Instruction Fuzzy Hash: 1722C6B0A0060ADFEF15DF68D880AEEB7F5FF44300F144169E996E7291EB39A954CB50

Function 010091C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26fc24eb48e7771fb02b1d0068c1f373adede417cf37f99b7ebf206aff46edfe
Instruction ID: 4c9cd060bf57b1fefdd892d1e8288f025217e71d22df37fd63df75743800e566
Opcode Fuzzy Hash: 26fc24eb48e7771fb02b1d0068c1f373adede417cf37f99b7ebf206aff46edfe
Instruction Fuzzy Hash: C702D7F0E0020AEFDF05DF54D880AAEB7F1FF54304F108169E9969B285EB35A965CB94

Function 01039EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cfc1668b466eb27e1a2a51378b2e8fb7359ba8748a2b17bfb1579ee3cfaabc0
Instruction ID: fe8afeec5064ea83b5040528b2d22ee245f6b1d478a92071858b7612e2692866
Opcode Fuzzy Hash: 8cfc1668b466eb27e1a2a51378b2e8fb7359ba8748a2b17bfb1579ee3cfaabc0
Instruction Fuzzy Hash: EAB1E131E2AF414DD22396398431336F65CBFBB6D5B91D31BFC9678E16EB2685834240

Function 01021C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 73280131ad1cbb6d583f1f24ee21da8ad1ee40c04061ca2d08876e950d165809
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: CF9175726080B34AEBAA563E857447EFFE15E822A131A07EED4F2CB1C5FE34D554D620

Function 01021F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 2fb8c7fd621b9376e53f5f9813a7cf6946a0bae24c80eb0a6f02e4ebfea425f6
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 9D9168772090B34DEBAE427D857443EFFE25A922A131A07DDE5F2CB1D6EE24C164D620

Function 010219B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 61b74b00a204bad31a9b9cb2b6cf1694bc73f647ef7ea1a81139ea9fa385bfc3
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 979102722090F34AEBAE467E857407EFFF55A921A231A07EED4F2CA1C5FE349154D620

Function 01027A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62b409454d147e2c874c21edef73a2d2916d9fded3f6be8fff82abc911ef461c
Instruction ID: daa35b52ae566c7b6b61e32cd77f3a0eb3d6d328534d832dfb7ef8529a80cec1
Opcode Fuzzy Hash: 62b409454d147e2c874c21edef73a2d2916d9fded3f6be8fff82abc911ef461c
Instruction Fuzzy Hash: 5261593120073A96EFBA996C88A4BFF37D8DFB1214F14499EEBC2DB281D6119642C355

Function 01027CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 433dc10692a39fa27e81b02c66ae559658090a009b7f9b6d5472e2d3487aba72
Instruction ID: c1f5d1ca98d482605b7f7d2cd1d1217eb87af8a820882f420892d465f80af327
Opcode Fuzzy Hash: 433dc10692a39fa27e81b02c66ae559658090a009b7f9b6d5472e2d3487aba72
Instruction Fuzzy Hash: 54618D3720073A57EE796A2C4854BFF77E8DF76700F00499ADAC3DB681D6129D428366

Function 01021706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 165a16447cccdf20f95bd9952aa631e54e67e758135eb64c2edaeb3fc500d6cf
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: CD8144726090B349EBAE467E857443EFFE16F821A131A07DED4F2CA1C2EE749154D660

Function 01072046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a02abfef556d5901ee2f428257f4db4eeba71525164a434b966533d7edfdc54b
Instruction ID: 09e8e12cbcf958f49d42e51641af17eeea54854479be1fb8e0f49a8d2cde7389
Opcode Fuzzy Hash: a02abfef556d5901ee2f428257f4db4eeba71525164a434b966533d7edfdc54b
Instruction Fuzzy Hash: EC21BB327216118BD728CE79C41267E73D5A754210F198A6EE4E7C37C5DE3AA904C794

Function 01011199 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfa2797c83bc74d8cebf783e24703566e9141e7a3bf68454490c55f37a68fab5
Instruction ID: 37ab0d5740d06b6e9a338c59cf4510f41d23a4fc78bd455811045a0887ac8dda
Opcode Fuzzy Hash: cfa2797c83bc74d8cebf783e24703566e9141e7a3bf68454490c55f37a68fab5
Instruction Fuzzy Hash: 2AF0DF355463569FC7C71F74C802195B7F0FF1733836400EDE480C9426E26E19A38B40

Function 01082ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 01082B30
DeleteObject.GDI32(00000000), ref: 01082B43
DestroyWindow.USER32 ref: 01082B52
GetDesktopWindow.USER32 ref: 01082B6D
GetWindowRect.USER32(00000000), ref: 01082B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 01082CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 01082CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01082CF8
GetClientRect.USER32(00000000,?), ref: 01082D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 01082D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01082D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01082D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01082D80
GlobalLock.KERNEL32(00000000), ref: 01082D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01082D98
GlobalUnlock.KERNEL32(00000000), ref: 01082DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01082DA8
GlobalFree.KERNEL32(00000000), ref: 01082DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01082DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0109FC38,00000000), ref: 01082DDB
GlobalFree.KERNEL32(00000000), ref: 01082DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 01082E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 01082E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01082E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0108303F

Strings

DISPLAY, xrefs: 01082EA2
, xrefs: 01082FC5
AutoIt v3, xrefs: 01082CF2
static, xrefs: 01082D3A, 01082E91

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: e2d50056b31b7c369c689a87334f964a41d9b763d88bd1837b6a6a7887535170
Instruction ID: 81fcf78de7c9a1ef0c60c5c1bf14763d83a2da44deb24949724e1bdb6c66365d
Opcode Fuzzy Hash: e2d50056b31b7c369c689a87334f964a41d9b763d88bd1837b6a6a7887535170
Instruction Fuzzy Hash: 00029E71900205AFEB24DFA4CD98EAE7BB9FF49711F048158F995AB290CB75ED01CB60

Function 010970D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0109712F
GetSysColorBrush.USER32(0000000F), ref: 01097160
GetSysColor.USER32(0000000F), ref: 0109716C
SetBkColor.GDI32(?,000000FF), ref: 01097186
SelectObject.GDI32(?,?), ref: 01097195
InflateRect.USER32(?,000000FF,000000FF), ref: 010971C0
GetSysColor.USER32(00000010), ref: 010971C8
CreateSolidBrush.GDI32(00000000), ref: 010971CF
FrameRect.USER32(?,?,00000000), ref: 010971DE
DeleteObject.GDI32(00000000), ref: 010971E5
InflateRect.USER32(?,000000FE,000000FE), ref: 01097230
FillRect.USER32(?,?,?), ref: 01097262
GetWindowLongW.USER32(?,000000F0), ref: 01097284

Part of subcall function 010973E8: GetSysColor.USER32(00000012), ref: 01097421
Part of subcall function 010973E8: SetTextColor.GDI32(?,?), ref: 01097425
Part of subcall function 010973E8: GetSysColorBrush.USER32(0000000F), ref: 0109743B
Part of subcall function 010973E8: GetSysColor.USER32(0000000F), ref: 01097446
Part of subcall function 010973E8: GetSysColor.USER32(00000011), ref: 01097463
Part of subcall function 010973E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 01097471
Part of subcall function 010973E8: SelectObject.GDI32(?,00000000), ref: 01097482
Part of subcall function 010973E8: SetBkColor.GDI32(?,00000000), ref: 0109748B
Part of subcall function 010973E8: SelectObject.GDI32(?,?), ref: 01097498
Part of subcall function 010973E8: InflateRect.USER32(?,000000FF,000000FF), ref: 010974B7
Part of subcall function 010973E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 010974CE
Part of subcall function 010973E8: GetWindowLongW.USER32(00000000,000000F0), ref: 010974DB

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: c8086aec7836cd51837e3b205766d240207ce71579b6141f1168490f48df4ab5
Instruction ID: 461b3c32078b1478411db534270351c24a3e94fc4871935390524c90f8bb96bb
Opcode Fuzzy Hash: c8086aec7836cd51837e3b205766d240207ce71579b6141f1168490f48df4ab5
Instruction Fuzzy Hash: 73A1BF72418301AFEB219F64DD58A6B7BE9FF89320F100A19FAE2961D0D73AD844CF51

Function 01018D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 01018E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 01056AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 01056AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 01056F43

Part of subcall function 01018F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,01018BE8,?,00000000,?,?,?,?,01018BBA,00000000,?), ref: 01018FC5

SendMessageW.USER32(?,00001053), ref: 01056F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 01056F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 01056FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 01056FB7

Strings

0, xrefs: 01056DCF

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 35d3ceb1f1cefd25ee9339d4e5575fe4391731832b52fa8d9895dcc3d8ad58eb
Instruction ID: 164fb75bc632c37959f3c3feab056c62cbbfa3f8d580db2727f322c577adbe26
Opcode Fuzzy Hash: 35d3ceb1f1cefd25ee9339d4e5575fe4391731832b52fa8d9895dcc3d8ad58eb
Instruction Fuzzy Hash: D312D130501201EFEBA5CF18C948BAABBF5FB45300F9484A9F9C58B256CB37E991CB51

Function 01082711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0108273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0108286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 010828A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 010828B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 01082900
GetClientRect.USER32(00000000,?), ref: 0108290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 01082955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 01082964
GetStockObject.GDI32(00000011), ref: 01082974
SelectObject.GDI32(00000000,00000000), ref: 01082978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 01082988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 01082991
DeleteDC.GDI32(00000000), ref: 0108299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 010829C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 010829DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 01082A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 01082A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 01082A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 01082A77
GetStockObject.GDI32(00000011), ref: 01082A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 01082A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 01082A97

Strings

DISPLAY, xrefs: 0108295A
AutoIt v3, xrefs: 010828F8
msctls_progress32, xrefs: 01082A13
static, xrefs: 0108294F, 01082A71

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 6b9722a87c6cdb7a03e3ecb6d8dc2b4ca0ea901c32189cc67ea86dc732c265fc
Instruction ID: bcba93564647b5da0dd10149d1ca5125afe7458169b14e5b02e1d64a9486a8e6
Opcode Fuzzy Hash: 6b9722a87c6cdb7a03e3ecb6d8dc2b4ca0ea901c32189cc67ea86dc732c265fc
Instruction Fuzzy Hash: 3FB16FB1A00215AFEB24DF68CD45FAE7BA9FB08711F008154FA95E72D0DB75AD40CBA4

Function 01074ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 01074AED
GetDriveTypeW.KERNEL32(?,0109CB68,?,\\.\,0109CC08), ref: 01074BCA
SetErrorMode.KERNEL32(00000000,0109CB68,?,\\.\,0109CC08), ref: 01074D36

Strings

USB, xrefs: 01074CB4
RAID, xrefs: 01074CBB
iSCSI, xrefs: 01074CC2
SATA, xrefs: 01074CD0
FileBackedVirtual, xrefs: 01074CEC
RAMDisk, xrefs: 01074BF4
MMC, xrefs: 01074CDE
Unknown, xrefs: 01074BED, 01074C83
1394, xrefs: 01074C9F
ATA, xrefs: 01074C98
ATAPI, xrefs: 01074C91
SSA, xrefs: 01074CA6
Removable, xrefs: 01074C10, 01074C15
Fibre, xrefs: 01074CAD
Network, xrefs: 01074C02
SSD, xrefs: 01074C4A
SCSI, xrefs: 01074C8A
SAS, xrefs: 01074CC9
\\.\, xrefs: 01074B3F
Fixed, xrefs: 01074C09
PhysicalDrive, xrefs: 01074B76
CDROM, xrefs: 01074BFB
Virtual, xrefs: 01074CE5

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: dabadb89fdc71261cebfae4d87258bb172864c4059da7a978e7d060ccf21e522
Instruction ID: ff945664ca789fba01f072a1198af384563f81b9fa8cc9b748be37ae6e755d00
Opcode Fuzzy Hash: dabadb89fdc71261cebfae4d87258bb172864c4059da7a978e7d060ccf21e522
Instruction Fuzzy Hash: 9F61AF71E0010EDBDBA4EF28CA819BD77E1BB44604B14805DE8C6EB351DB76ED85CB49

Function 010973E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 01097421
SetTextColor.GDI32(?,?), ref: 01097425
GetSysColorBrush.USER32(0000000F), ref: 0109743B
GetSysColor.USER32(0000000F), ref: 01097446
CreateSolidBrush.GDI32(?), ref: 0109744B
GetSysColor.USER32(00000011), ref: 01097463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 01097471
SelectObject.GDI32(?,00000000), ref: 01097482
SetBkColor.GDI32(?,00000000), ref: 0109748B
SelectObject.GDI32(?,?), ref: 01097498
InflateRect.USER32(?,000000FF,000000FF), ref: 010974B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 010974CE
GetWindowLongW.USER32(00000000,000000F0), ref: 010974DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0109752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 01097554
InflateRect.USER32(?,000000FD,000000FD), ref: 01097572
DrawFocusRect.USER32(?,?), ref: 0109757D
GetSysColor.USER32(00000011), ref: 0109758E
SetTextColor.GDI32(?,00000000), ref: 01097596
DrawTextW.USER32(?,010970F5,000000FF,?,00000000), ref: 010975A8
SelectObject.GDI32(?,?), ref: 010975BF
DeleteObject.GDI32(?), ref: 010975CA
SelectObject.GDI32(?,?), ref: 010975D0
DeleteObject.GDI32(?), ref: 010975D5
SetTextColor.GDI32(?,?), ref: 010975DB
SetBkColor.GDI32(?,?), ref: 010975E5

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 1fe6299846d263b0ac9e5c3c3d48c673929442ee980023b66ee512756f802ef0
Instruction ID: f429b50e7c07182cf2513a3b8aa3178443417ab2deea5028baf56b9519bb1969
Opcode Fuzzy Hash: 1fe6299846d263b0ac9e5c3c3d48c673929442ee980023b66ee512756f802ef0
Instruction Fuzzy Hash: 75618C72D00218AFEF119FA8DD58AEEBFB9FB09320F104111FA51AB291D7759940DF90

Function 01090FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 01091128
GetDesktopWindow.USER32 ref: 0109113D
GetWindowRect.USER32(00000000), ref: 01091144
GetWindowLongW.USER32(?,000000F0), ref: 01091199
DestroyWindow.USER32(?), ref: 010911B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 010911ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0109120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0109121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 01091232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 01091245
IsWindowVisible.USER32(00000000), ref: 010912A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 010912BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 010912D0
GetWindowRect.USER32(00000000,?), ref: 010912E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0109130E
GetMonitorInfoW.USER32(00000000,?), ref: 01091328
CopyRect.USER32(?,?), ref: 0109133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 010913AA

Strings

(, xrefs: 0109131B
0, xrefs: 010910D3
tooltips_class32, xrefs: 010911E6

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: e30f82f52e18400d6c6b0e6d9962f6d460c0acef9fa19b5f56acf8f813c60867
Instruction ID: 9cb06ec2f9fcfcc2fdb33c201ecc84de6517ea29a273f58e0829ea849f0ebc89
Opcode Fuzzy Hash: e30f82f52e18400d6c6b0e6d9962f6d460c0acef9fa19b5f56acf8f813c60867
Instruction Fuzzy Hash: 6DB1AE71604342AFEB10DF24C994BAEBBE4FF88364F008958F9D99B291C771E844DB91

Function 01090241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 010902E5
_wcslen.LIBCMT ref: 0109031F
_wcslen.LIBCMT ref: 01090389
_wcslen.LIBCMT ref: 010903F1
_wcslen.LIBCMT ref: 01090475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 010904C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 01090504

Part of subcall function 0101F9F2: _wcslen.LIBCMT ref: 0101F9FD

Part of subcall function 0106223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 01062258
Part of subcall function 0106223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0106228A

Strings

GETSELECTEDCOUNT, xrefs: 01090470, 0109048B
GETITEMCOUNT, xrefs: 01090316, 01090337
SELECT, xrefs: 01090548
GETSUBITEMCOUNT, xrefs: 01090384, 0109039F
SELECTCLEAR, xrefs: 0109052D
FINDITEM, xrefs: 01090627
DESELECT, xrefs: 0109059C
VIEWCHANGE, xrefs: 01090675
GETTEXT, xrefs: 010903EC, 01090407
ISSELECTED, xrefs: 010904DD
GETSELECTED, xrefs: 010905E1
SELECTALL, xrefs: 01090515
SELECTINVERT, xrefs: 0109057E

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: d12b4fa24bc0e5c045b24fe0e571b5aba761e1b8749bd32e72b9fd2cfc497671
Instruction ID: 0d25709ea03162252e5a2659378e3462672ceca356d9dca9d613888f2b2c9d8c
Opcode Fuzzy Hash: d12b4fa24bc0e5c045b24fe0e571b5aba761e1b8749bd32e72b9fd2cfc497671
Instruction Fuzzy Hash: 99E1B2312042028FDB14DF28C5A096EB7EABFD8614F54859CF8D69B3A9DB30ED45DB81

Function 01018891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 01018968
GetSystemMetrics.USER32(00000007), ref: 01018970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0101899B
GetSystemMetrics.USER32(00000008), ref: 010189A3
GetSystemMetrics.USER32(00000004), ref: 010189C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 010189E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 010189F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 01018A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 01018A3C
GetClientRect.USER32(00000000,000000FF), ref: 01018A5A
GetStockObject.GDI32(00000011), ref: 01018A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 01018A81

Part of subcall function 0101912D: GetCursorPos.USER32(?), ref: 01019141
Part of subcall function 0101912D: ScreenToClient.USER32(00000000,?), ref: 0101915E
Part of subcall function 0101912D: GetAsyncKeyState.USER32(00000001), ref: 01019183
Part of subcall function 0101912D: GetAsyncKeyState.USER32(00000002), ref: 0101919D

SetTimer.USER32(00000000,00000000,00000028,010190FC), ref: 01018AA8

Strings

AutoIt v3 GUI, xrefs: 01018A20

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 0925ad1ee5abfb792b6a7a2f06706e404362f68b299630a2edc1b5446f503cf3
Instruction ID: 6ca39d095e1448be7456d53dc069154829cdccda47fd426870c70a2f58420ab7
Opcode Fuzzy Hash: 0925ad1ee5abfb792b6a7a2f06706e404362f68b299630a2edc1b5446f503cf3
Instruction Fuzzy Hash: 9CB19F71A0020AAFEF54DFA8D955BAE7BB5FB48310F004219FE95A7284DB39E941CF50

Function 01060D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 010610F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 01061114
Part of subcall function 010610F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,01060B9B,?,?,?), ref: 01061120
Part of subcall function 010610F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,01060B9B,?,?,?), ref: 0106112F
Part of subcall function 010610F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,01060B9B,?,?,?), ref: 01061136
Part of subcall function 010610F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0106114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 01060DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 01060E29
GetLengthSid.ADVAPI32(?), ref: 01060E40
GetAce.ADVAPI32(?,00000000,?), ref: 01060E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 01060E96
GetLengthSid.ADVAPI32(?), ref: 01060EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 01060EB5
HeapAlloc.KERNEL32(00000000), ref: 01060EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 01060EDD
CopySid.ADVAPI32(00000000), ref: 01060EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 01060F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 01060F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 01060F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 01060F6E
HeapFree.KERNEL32(00000000), ref: 01060F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 01060F7E
HeapFree.KERNEL32(00000000), ref: 01060F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 01060F8E
HeapFree.KERNEL32(00000000), ref: 01060F95
GetProcessHeap.KERNEL32(00000000,?), ref: 01060FA1
HeapFree.KERNEL32(00000000), ref: 01060FA8

Part of subcall function 01061193: GetProcessHeap.KERNEL32(00000008,01060BB1,?,00000000,?,01060BB1,?), ref: 010611A1
Part of subcall function 01061193: HeapAlloc.KERNEL32(00000000,?,00000000,?,01060BB1,?), ref: 010611A8
Part of subcall function 01061193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,01060BB1,?), ref: 010611B7

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: e8c550358165b1c4348cb14d26b2bdcd5f3fbfdc0dd64de252a6a585c9e56346
Instruction ID: 273115d8bd7db3cba71b4edb2a57cf483883c656bd2ab0e03f9c3cbc74216f17
Opcode Fuzzy Hash: e8c550358165b1c4348cb14d26b2bdcd5f3fbfdc0dd64de252a6a585c9e56346
Instruction Fuzzy Hash: 97717B7290020AABEF209FA8DD44FEEBBBCBF55300F048155FA99A6184D7359905CB60

Function 0108C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0108C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0109CC08,00000000,?,00000000,?,?), ref: 0108C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0108C5A4
_wcslen.LIBCMT ref: 0108C5F4
_wcslen.LIBCMT ref: 0108C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0108C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0108C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0108C84D
RegCloseKey.ADVAPI32(?), ref: 0108C881
RegCloseKey.ADVAPI32(00000000), ref: 0108C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0108C960

Strings

REG_MULTI_SZ, xrefs: 0108C6F5
REG_QWORD, xrefs: 0108C8C3
REG_DWORD, xrefs: 0108C804
REG_BINARY, xrefs: 0108C913
REG_EXPAND_SZ, xrefs: 0108C5CD
REG_SZ, xrefs: 0108C644

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: db73b57f4f85b19e0b3dbf5f3edefb6b8aad574627a4fb139117cda30ec6d44d
Instruction ID: 4b65f210b55ca06346eb96046b936035c248b8eebbbd140dd139cccd36d3cf5d
Opcode Fuzzy Hash: db73b57f4f85b19e0b3dbf5f3edefb6b8aad574627a4fb139117cda30ec6d44d
Instruction Fuzzy Hash: E9126B356042019FE715EF18C590AAABBE5FF88714F04889CE9CA9B3A1DB35FD41CB91

Function 0109091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 010909C6
_wcslen.LIBCMT ref: 01090A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 01090A54
_wcslen.LIBCMT ref: 01090A8A
_wcslen.LIBCMT ref: 01090B06
_wcslen.LIBCMT ref: 01090B81

Part of subcall function 0101F9F2: _wcslen.LIBCMT ref: 0101F9FD

Part of subcall function 01062BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 01062BFA

Strings

GETTOTALCOUNT, xrefs: 010909F2, 01090A17
CHECK, xrefs: 01090A85, 01090AA0
EXPAND, xrefs: 01090BF8
EXISTS, xrefs: 01090B7C, 01090B97
COLLAPSE, xrefs: 01090B01, 01090B1C
GETITEMCOUNT, xrefs: 01090C1E
GETTEXT, xrefs: 01090C97
GETSELECTED, xrefs: 01090C4E
SELECT, xrefs: 01090D11
ISCHECKED, xrefs: 01090CE1
UNCHECK, xrefs: 01090D3E

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: af3c387b4ef54962b9a995bedc738d69dfdd4c5e16dc157e8ee019d358ead9be
Instruction ID: 14ebd4ff0a1f2527eec84eaa7eacfa0b0280203999398ff7c7e8dfce30f7f464
Opcode Fuzzy Hash: af3c387b4ef54962b9a995bedc738d69dfdd4c5e16dc157e8ee019d358ead9be
Instruction Fuzzy Hash: CCE1AE312043028FCB14EF28C4609AEB7E9BF98614F44899CF8D69B3A5DB35ED45DB81

Function 0108C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0108B6AE,?,?), ref: 0108C9B5
_wcslen.LIBCMT ref: 0108C9F1
_wcslen.LIBCMT ref: 0108CA68
_wcslen.LIBCMT ref: 0108CA9E
_wcslen.LIBCMT ref: 0108CAF9
_wcslen.LIBCMT ref: 0108CB2F
_wcslen.LIBCMT ref: 0108CB7F

Strings

HKCU, xrefs: 0108CBCE
HKEY_LOCAL_MACHINE, xrefs: 0108CA62, 0108CA67
HKEY_CLASSES_ROOT, xrefs: 0108CAF3, 0108CAF8
HKLM, xrefs: 0108CA98, 0108CA9D
HKEY_CURRENT_CONFIG, xrefs: 0108CB79, 0108CB7E
HKU, xrefs: 0108CBF0
HKEY_USERS, xrefs: 0108CBDF
HKCC, xrefs: 0108CBAC
HKCR, xrefs: 0108CB29, 0108CB2E
HKEY_CURRENT_USER, xrefs: 0108CBBD

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: ae6c0ef6d56cbc0b2cefba27034efcdfdcc29381f31f2ec0b027e975f846b222
Instruction ID: 25427257faec61e1c3e967b6d0dc624cad34e7ce00240572e14cbeba7d80a4ae
Opcode Fuzzy Hash: ae6c0ef6d56cbc0b2cefba27034efcdfdcc29381f31f2ec0b027e975f846b222
Instruction Fuzzy Hash: 1371243260852B8BEB21FF7CCA405FE77F5AB60658F150199E8E297285EA31CD44C7B0

Function 0109833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0109835A
_wcslen.LIBCMT ref: 0109836E
_wcslen.LIBCMT ref: 01098391
_wcslen.LIBCMT ref: 010983B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 010983F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,01095BF2), ref: 0109844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 01098487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 010984CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 01098501
FreeLibrary.KERNEL32(?), ref: 0109850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0109851D
DestroyIcon.USER32(?,?,?,?,?,01095BF2), ref: 0109852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 01098549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 01098555

Strings

.exe, xrefs: 01098388
.dll, xrefs: 010983AB
.icl, xrefs: 01098368

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 8a76f3273f2f3ffb35cd700408c02c607b0b7df4ac5ea01c1b0791e42fbdd4be
Instruction ID: fe5711ab7a00785f0781e518262a9dac33710bd0d7ac9d783124920cad118ddf
Opcode Fuzzy Hash: 8a76f3273f2f3ffb35cd700408c02c607b0b7df4ac5ea01c1b0791e42fbdd4be
Instruction Fuzzy Hash: DA61E271900219BAEF24DF64CC50BFE77A8BF09721F10864AF995D61D0DBB5A980DBA0

Function 01007778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#include, xrefs: 01007847
#cs, xrefs: 01007873, 010078C5
#include-once, xrefs: 0100782F
#notrayicon, xrefs: 010077E7
', xrefs: 01045169
#comments-end, xrefs: 010078D9
#pragma compile, xrefs: 010077D3
", xrefs: 01045153
#ce, xrefs: 010078ED
#requireadmin, xrefs: 010077FF
Cannot parse #include, xrefs: 01045279
Bad directive syntax error, xrefs: 0104519A
#OnAutoItStartRegister, xrefs: 01007817
#comments-start, xrefs: 0100785F, 010078B1
Unterminated group of comments, xrefs: 0104528C

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: c19f7ea9c2964ea56f313b8f127a669acd8d68701b8aa80b471a2654892da7e0
Instruction ID: a2be7642a9c734b641dffeaa45dd356919bda7eace99ad6394d65dec1d43d0af
Opcode Fuzzy Hash: c19f7ea9c2964ea56f313b8f127a669acd8d68701b8aa80b471a2654892da7e0
Instruction Fuzzy Hash: 3681E7B1640206BBEF22AF64CC81FEE3BE4BF55340F044065F9C9AA195EB74E601C7A1

Function 01073E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 01073EF8
_wcslen.LIBCMT ref: 01073F03
_wcslen.LIBCMT ref: 01073F5A
_wcslen.LIBCMT ref: 01073F98
GetDriveTypeW.KERNEL32(?), ref: 01073FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0107401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 01074059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 01074087

Strings

type cdaudio alias cd wait, xrefs: 01074001
closed, xrefs: 01073F08, 01073F2D, 01073F46, 01073F7E, 01073F97
open, xrefs: 01073F54, 01073F59
close cd wait, xrefs: 01074072
open , xrefs: 01073FE5
wait, xrefs: 01074044
set cd door , xrefs: 01074028
close, xrefs: 01073EFE, 01073F18

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 69ec9251248a3628535a4dd62f55ec66595c07f00e860aca20c4f8a99a8cc500
Instruction ID: ade5622c0dc4a3ab072d1f890bf3de17a94ec05adb61f8fdaff0fe9a85205a23
Opcode Fuzzy Hash: 69ec9251248a3628535a4dd62f55ec66595c07f00e860aca20c4f8a99a8cc500
Instruction Fuzzy Hash: 8871F271A042129FE311EF28C8809AEB7F4FF94654F40496DF4D697291EB31ED45CB91

Function 01065A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 01065A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 01065A40
SetWindowTextW.USER32(?,?), ref: 01065A57
GetDlgItem.USER32(?,000003EA), ref: 01065A6C
SetWindowTextW.USER32(00000000,?), ref: 01065A72
GetDlgItem.USER32(?,000003E9), ref: 01065A82
SetWindowTextW.USER32(00000000,?), ref: 01065A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 01065AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 01065AC3
GetWindowRect.USER32(?,?), ref: 01065ACC
_wcslen.LIBCMT ref: 01065B33
SetWindowTextW.USER32(?,?), ref: 01065B6F
GetDesktopWindow.USER32 ref: 01065B75
GetWindowRect.USER32(00000000), ref: 01065B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 01065BD3
GetClientRect.USER32(?,?), ref: 01065BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 01065C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 01065C2F

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 2e89f2c957ea7b87e00e0bb20157a94536e051ac00eb95b2248218251539f949
Instruction ID: a5d6079b160c2d54a28ee4693b1d26d79a7fc39e4095da45ebeb0d0e215ce61f
Opcode Fuzzy Hash: 2e89f2c957ea7b87e00e0bb20157a94536e051ac00eb95b2248218251539f949
Instruction Fuzzy Hash: EE717C31A00709AFEB20DFA8CE85AAEBBF9FF48744F104958E582A2594D775E944CF50

Function 0107FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 0107FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 0107FE32
LoadCursorW.USER32(00000000,00007F00), ref: 0107FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 0107FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 0107FE53
LoadCursorW.USER32(00000000,00007F01), ref: 0107FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 0107FE69
LoadCursorW.USER32(00000000,00007F88), ref: 0107FE74
LoadCursorW.USER32(00000000,00007F80), ref: 0107FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 0107FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 0107FE95
LoadCursorW.USER32(00000000,00007F85), ref: 0107FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 0107FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 0107FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 0107FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 0107FECC
GetCursorInfo.USER32(?), ref: 0107FEDC
GetLastError.KERNEL32 ref: 0107FF1E

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 35cd814f34d374148f6b11b4c0c184b65935458c70c6c29137497d39e74190d1
Instruction ID: 9e48377a288292cdfd9d7f32b68ea9e4c7ca788d08560795e9676f63c629d89e
Opcode Fuzzy Hash: 35cd814f34d374148f6b11b4c0c184b65935458c70c6c29137497d39e74190d1
Instruction Fuzzy Hash: A54165B0D0831A6BDB10DFBA8C8486EBFE8FF04354B50456AE15DE7281DB78A501CF91

Function 010200C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 010200C6

Part of subcall function 010200ED: InitializeCriticalSectionAndSpinCount.KERNEL32(010D070C,00000FA0,DD46F2F2,?,?,?,?,010423B3,000000FF), ref: 0102011C
Part of subcall function 010200ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,010423B3,000000FF), ref: 01020127
Part of subcall function 010200ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,010423B3,000000FF), ref: 01020138
Part of subcall function 010200ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0102014E
Part of subcall function 010200ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0102015C
Part of subcall function 010200ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0102016A
Part of subcall function 010200ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 01020195
Part of subcall function 010200ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 010201A0

___scrt_fastfail.LIBCMT ref: 010200E7

Part of subcall function 010200A3: __onexit.LIBCMT ref: 010200A9

Strings

InitializeConditionVariable, xrefs: 01020148
SleepConditionVariableCS, xrefs: 01020154
api-ms-win-core-synch-l1-2-0.dll, xrefs: 01020122
kernel32.dll, xrefs: 01020133
WakeAllConditionVariable, xrefs: 01020162

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: f999e11d9def9d6bb526800c762cf851a70f387c4625ebf228ec78f46dbef469
Instruction ID: c861d19f46f9fd6d88973e50919af5e1db955a37d11725aed65df125479899b5
Opcode Fuzzy Hash: f999e11d9def9d6bb526800c762cf851a70f387c4625ebf228ec78f46dbef469
Instruction Fuzzy Hash: E9216B72F463226BF7206B75A855B6E3BD4FB05E51F10012EF9C5DA24CDB7988008B94

Function 010630F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0106318D
_wcslen.LIBCMT ref: 010631F8

Strings

TEXT, xrefs: 0106347C
INSTANCE, xrefs: 01063453
NAME, xrefs: 01063335, 01063346
CLASSNN, xrefs: 010631F3, 01063204
REGEXPCLASS, xrefs: 01063255, 01063266
CLASS, xrefs: 01063188, 010631A5

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 0a467057afc7819814c93fc052ad17df6f5e1f89ffd5556f13004660ab45355e
Instruction ID: 854a17f1bff5d97e90f136bceb930ac31aa918eeb9efb333681bf5f743c69c27
Opcode Fuzzy Hash: 0a467057afc7819814c93fc052ad17df6f5e1f89ffd5556f13004660ab45355e
Instruction Fuzzy Hash: 13E10332B00126ABDB599FA8C8406EEFBF8BF44610F548159D5DAFB240DF30A985CBD0

Function 010744C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0109CC08), ref: 01074527
_wcslen.LIBCMT ref: 0107453B
_wcslen.LIBCMT ref: 01074599
_wcslen.LIBCMT ref: 010745F4
_wcslen.LIBCMT ref: 0107463F
_wcslen.LIBCMT ref: 010746A7

Part of subcall function 0101F9F2: _wcslen.LIBCMT ref: 0101F9FD

GetDriveTypeW.KERNEL32(?,010C6BF0,00000061), ref: 01074743

Strings

ramdisk, xrefs: 010746F1
unknown, xrefs: 01074708
all, xrefs: 01074531, 01074536
fixed, xrefs: 01074635, 0107463A
network, xrefs: 0107469D, 010746A2
removable, xrefs: 010745EA, 010745EF
cdrom, xrefs: 0107458F, 01074594

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 8071a90830ab11988c6e5d4d6c74565cdf3f13b5f09fbc6ca100af395ce262ac
Instruction ID: a0ca1770a4c3309f1d8dd0cc055684592cfcc4cc84908a072bf69c652d9cbb8f
Opcode Fuzzy Hash: 8071a90830ab11988c6e5d4d6c74565cdf3f13b5f09fbc6ca100af395ce262ac
Instruction Fuzzy Hash: 74B1F071A083029FC711DF28C890AAEB7E5BFA9724F40495DF5D6C7291D730D844CBA6

Function 01083FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0109CC08), ref: 010840BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 010840CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,0109CC08), ref: 010840F2
FreeLibrary.KERNEL32(00000000,?,0109CC08), ref: 0108413E
StringFromGUID2.OLE32(?,?,00000028,?,0109CC08), ref: 010841A8
SysFreeString.OLEAUT32(00000009), ref: 01084262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 010842C8
SysFreeString.OLEAUT32(?), ref: 010842F2

Strings

GetModuleHandleExW, xrefs: 010840C7
kernel32.dll, xrefs: 010840B6

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: 6b8b1ad4c353afcc4d8d319a503a1bb467e00e85dbb9ad9680ea7961f40d9585
Instruction ID: c8b7e9479c9fdb4093e5dcf02ca44c89f0d7543c3211ab447fc9c31bd502805c
Opcode Fuzzy Hash: 6b8b1ad4c353afcc4d8d319a503a1bb467e00e85dbb9ad9680ea7961f40d9585
Instruction Fuzzy Hash: 31125D75A0410AEFDB55DF58C884EAEBBB5FF45318F148098E985DB251CB31ED42CBA0

Function 0100326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(010D1990), ref: 01042F8D
GetMenuItemCount.USER32(010D1990), ref: 0104303D
GetCursorPos.USER32(?), ref: 01043081
SetForegroundWindow.USER32(00000000), ref: 0104308A
TrackPopupMenuEx.USER32(010D1990,00000000,?,00000000,00000000,00000000), ref: 0104309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 010430A9

Strings

0, xrefs: 0100327D

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 770d69f83b050a74cc1a0d4f309ee0ef6d4eb0b120232e1248a17cd2bd443a89
Instruction ID: ef53102f8c6ec665221c5a7111ad132485d78e238a150a29f11168b4cf4f4a05
Opcode Fuzzy Hash: 770d69f83b050a74cc1a0d4f309ee0ef6d4eb0b120232e1248a17cd2bd443a89
Instruction Fuzzy Hash: 9471E5B1640216BFFB329B69DC98F9ABFA4FF05324F104266F6956A1D0C7B1A850CB50

Function 01096CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 01096DEB

Part of subcall function 01006B57: _wcslen.LIBCMT ref: 01006B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 01096E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 01096E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 01096E94
DestroyWindow.USER32(?), ref: 01096EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,01000000,00000000), ref: 01096EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 01096EFD
GetDesktopWindow.USER32 ref: 01096F16
GetWindowRect.USER32(00000000), ref: 01096F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 01096F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 01096F4D

Part of subcall function 01019944: GetWindowLongW.USER32(?,000000EB), ref: 01019952

Strings

0, xrefs: 01096D98
tooltips_class32, xrefs: 01096E58, 01096EDD

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: eb685a3165046b5b86db337cd697836eabe955639fb34c49fb348fdc9f3893a4
Instruction ID: 0211fe40869aad62c2f3fc6cc58157ce18643685cb7bb9fc438ccdfe91940166
Opcode Fuzzy Hash: eb685a3165046b5b86db337cd697836eabe955639fb34c49fb348fdc9f3893a4
Instruction Fuzzy Hash: 62716771504245AFEB21CF1CC864FBABBE9FB89304F44045DFADA87261CB76A906DB11

Function 0109911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 01019BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 01019BB2

DragQueryPoint.SHELL32(?,?), ref: 01099147

Part of subcall function 01097674: ClientToScreen.USER32(?,?), ref: 0109769A
Part of subcall function 01097674: GetWindowRect.USER32(?,?), ref: 01097710
Part of subcall function 01097674: PtInRect.USER32(?,?,01098B89), ref: 01097720

SendMessageW.USER32(?,000000B0,?,?), ref: 010991B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 010991BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 010991DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 01099225
SendMessageW.USER32(?,000000B0,?,?), ref: 0109923E
SendMessageW.USER32(?,000000B1,?,?), ref: 01099255
SendMessageW.USER32(?,000000B1,?,?), ref: 01099277
DragFinish.SHELL32(?), ref: 0109927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 01099371

Strings

@GUI_DROPID, xrefs: 0109929E
@GUI_DRAGFILE, xrefs: 01099320
@GUI_DRAGID, xrefs: 010992E9

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: ea9a6c8fb88082b18b27f92ab7128a11c975cc0d4feb112fa19e0171a42ba130
Instruction ID: 522a641e913b3fe147be8a2b6073049a296236e9e1edc31066012fb65ddfb524
Opcode Fuzzy Hash: ea9a6c8fb88082b18b27f92ab7128a11c975cc0d4feb112fa19e0171a42ba130
Instruction Fuzzy Hash: 4D619772508302AFE701DF64C994DAFBBE8FF98754F40091EF5D5921A0DB319A49CBA2

Function 0107C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0107C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0107C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0107C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0107C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0107C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0107C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0107C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0107C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0107C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0107C5F0
InternetCloseHandle.WININET(00000000), ref: 0107C5FB

Strings

, xrefs: 0107C575

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 8259580a38b7ab9a63ee4002c022e9fca36b3a358eb23340aafac6b89ea1a7ee
Instruction ID: 28142c991fca2a88dd39787a05a47537c8421c3f628e246c6dac10298a3ef6af
Opcode Fuzzy Hash: 8259580a38b7ab9a63ee4002c022e9fca36b3a358eb23340aafac6b89ea1a7ee
Instruction Fuzzy Hash: 8F5120B190060ABFFB219F64CA88AAB7BFCFF08754F004559F98696140DB36D944DB64

Function 0109856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 01098592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 010985A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 010985AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 010985BA
GlobalLock.KERNEL32(00000000), ref: 010985C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 010985D7
GlobalUnlock.KERNEL32(00000000), ref: 010985E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 010985E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 010985F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0109FC38,?), ref: 01098611
GlobalFree.KERNEL32(00000000), ref: 01098621
GetObjectW.GDI32(?,00000018,?), ref: 01098641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 01098671
DeleteObject.GDI32(?), ref: 01098699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 010986AF

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: e8f4bdad0f9d5de74260bf8c2e2095895098563c026158e02f187f6ac7ad44a7
Instruction ID: 4820ad59909e2908589d3f8d639b4136d6879e603bd593c759c2d0266d9e3252
Opcode Fuzzy Hash: e8f4bdad0f9d5de74260bf8c2e2095895098563c026158e02f187f6ac7ad44a7
Instruction Fuzzy Hash: 1A413175A00208BFEB21DF69CD58E6E7BB8FF49711F008059F989DB250D7359901DB60

Function 010714BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 01071502
VariantCopy.OLEAUT32(?,?), ref: 0107150B
VariantClear.OLEAUT32(?), ref: 01071517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 010715FB
VarR8FromDec.OLEAUT32(?,?), ref: 01071657
VariantInit.OLEAUT32(?), ref: 01071708
SysFreeString.OLEAUT32(?), ref: 0107178C
VariantClear.OLEAUT32(?), ref: 010717D8
VariantClear.OLEAUT32(?), ref: 010717E7
VariantInit.OLEAUT32(00000000), ref: 01071823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 01071625
Default, xrefs: 010716AF

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 4211b185f91a1e126dfb0ebe85dc1127cfa7f53e07594b81c40e8efbb84439f4
Instruction ID: 9214523d370689d55b2e024708b6decb014996bf3df60072f6d63a093bac0997
Opcode Fuzzy Hash: 4211b185f91a1e126dfb0ebe85dc1127cfa7f53e07594b81c40e8efbb84439f4
Instruction Fuzzy Hash: CCD1D071E00216EBEF18AF65D484BBDBBB5BF04704F08809AE5D6AB1C4DB34E845CB65

Function 0108B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 01009CB3: _wcslen.LIBCMT ref: 01009CBD

Part of subcall function 0108C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0108B6AE,?,?), ref: 0108C9B5
Part of subcall function 0108C998: _wcslen.LIBCMT ref: 0108C9F1
Part of subcall function 0108C998: _wcslen.LIBCMT ref: 0108CA68
Part of subcall function 0108C998: _wcslen.LIBCMT ref: 0108CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0108B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0108B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0108B80A
RegCloseKey.ADVAPI32(?), ref: 0108B87E
RegCloseKey.ADVAPI32(?), ref: 0108B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0108B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0108B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0108B922
FreeLibrary.KERNEL32(00000000), ref: 0108B983
RegCloseKey.ADVAPI32(00000000), ref: 0108B994

Strings

advapi32.dll, xrefs: 0108B8ED
RegDeleteKeyExW, xrefs: 0108B8FE

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: cafdba102465845206bb70f98049e33c9aecab23883b6f5e9560bee982a11553
Instruction ID: 55b44ab08a96453f8a13d9350e9f7a10f53da5a2b4bcbdd2c928f535aa2ea192
Opcode Fuzzy Hash: cafdba102465845206bb70f98049e33c9aecab23883b6f5e9560bee982a11553
Instruction Fuzzy Hash: 5EC18134208202EFE721EF18C494F6ABBE1BF85318F58859CE5D94B392CB75E945CB91

Function 0108255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 010825D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 010825E8
CreateCompatibleDC.GDI32(?), ref: 010825F4
SelectObject.GDI32(00000000,?), ref: 01082601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0108266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 010826AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 010826D0
SelectObject.GDI32(?,?), ref: 010826D8
DeleteObject.GDI32(?), ref: 010826E1
DeleteDC.GDI32(?), ref: 010826E8
ReleaseDC.USER32(00000000,?), ref: 010826F3

Strings

(, xrefs: 0108268D

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 2bb561567a7cc5e9d282b704e3c13c80d9187af0199535c3ee1c11b0b8677f60
Instruction ID: b62cfca8b1f5a9cdd43ded71677d1e20aa0408f28fd7f7755f37cbcd98f427d8
Opcode Fuzzy Hash: 2bb561567a7cc5e9d282b704e3c13c80d9187af0199535c3ee1c11b0b8677f60
Instruction Fuzzy Hash: CB6124B5D0020AEFDF14DFA4C984AAEBBF5FF48300F208429E995A7200D735A950CFA4

Function 0103DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0103DAA1

Part of subcall function 0103D63C: _free.LIBCMT ref: 0103D659
Part of subcall function 0103D63C: _free.LIBCMT ref: 0103D66B
Part of subcall function 0103D63C: _free.LIBCMT ref: 0103D67D
Part of subcall function 0103D63C: _free.LIBCMT ref: 0103D68F
Part of subcall function 0103D63C: _free.LIBCMT ref: 0103D6A1
Part of subcall function 0103D63C: _free.LIBCMT ref: 0103D6B3
Part of subcall function 0103D63C: _free.LIBCMT ref: 0103D6C5
Part of subcall function 0103D63C: _free.LIBCMT ref: 0103D6D7
Part of subcall function 0103D63C: _free.LIBCMT ref: 0103D6E9
Part of subcall function 0103D63C: _free.LIBCMT ref: 0103D6FB
Part of subcall function 0103D63C: _free.LIBCMT ref: 0103D70D
Part of subcall function 0103D63C: _free.LIBCMT ref: 0103D71F
Part of subcall function 0103D63C: _free.LIBCMT ref: 0103D731

_free.LIBCMT ref: 0103DA96

Part of subcall function 010329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0103D7D1,00000000,00000000,00000000,00000000,?,0103D7F8,00000000,00000007,00000000,?,0103DBF5,00000000), ref: 010329DE
Part of subcall function 010329C8: GetLastError.KERNEL32(00000000,?,0103D7D1,00000000,00000000,00000000,00000000,?,0103D7F8,00000000,00000007,00000000,?,0103DBF5,00000000,00000000), ref: 010329F0

_free.LIBCMT ref: 0103DAB8
_free.LIBCMT ref: 0103DACD
_free.LIBCMT ref: 0103DAD8
_free.LIBCMT ref: 0103DAFA
_free.LIBCMT ref: 0103DB0D
_free.LIBCMT ref: 0103DB1B
_free.LIBCMT ref: 0103DB26
_free.LIBCMT ref: 0103DB5E
_free.LIBCMT ref: 0103DB65
_free.LIBCMT ref: 0103DB82
_free.LIBCMT ref: 0103DB9A

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: d2bcc3483c2aadae3521e3ef23f30171ef8aa2212ecf39421cbef6c512186c24
Instruction ID: a9027ba6db581a2f6b8eaf0013180e8ba8ba86c47c1ae8ded86f080b041637c5
Opcode Fuzzy Hash: d2bcc3483c2aadae3521e3ef23f30171ef8aa2212ecf39421cbef6c512186c24
Instruction Fuzzy Hash: 43318E31604706DFEB66AAB9E844B9A7BEDFF90350F90449AE4C9D7191DF30E840CB20

Function 0106365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0106369C
_wcslen.LIBCMT ref: 010636A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 01063797
GetClassNameW.USER32(?,?,00000400), ref: 0106380C
GetDlgCtrlID.USER32(?), ref: 0106385D
GetWindowRect.USER32(?,?), ref: 01063882
GetParent.USER32(?), ref: 010638A0
ScreenToClient.USER32(00000000), ref: 010638A7
GetClassNameW.USER32(?,?,00000100), ref: 01063921
GetWindowTextW.USER32(?,?,00000400), ref: 0106395D

Strings

%s%u, xrefs: 01063734

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 28f33dba350185c48a7675398b94b3d3d21a99fbbcb768ebc311cfcb2c7a8298
Instruction ID: c40866ac85b8ea27b039d94383f9a7cde6c33ccdafb715be96077947774b8c40
Opcode Fuzzy Hash: 28f33dba350185c48a7675398b94b3d3d21a99fbbcb768ebc311cfcb2c7a8298
Instruction Fuzzy Hash: 92918F71204306AFE719DE28C884BEAB7ECFF48350F008519EAD99A190DB34E945CBE1

Function 01064954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 01064994
GetWindowTextW.USER32(?,?,00000400), ref: 010649DA
_wcslen.LIBCMT ref: 010649EB
CharUpperBuffW.USER32(?,00000000), ref: 010649F7
_wcsstr.LIBVCRUNTIME ref: 01064A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 01064A64
GetWindowTextW.USER32(?,?,00000400), ref: 01064A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 01064AE6
GetClassNameW.USER32(?,?,00000400), ref: 01064B20
GetWindowRect.USER32(?,?), ref: 01064B8B

Strings

ThumbnailClass, xrefs: 01064A6F, 01064AF1

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 5fc8a6e0373020b5a1b9bfadc219932539db45ea17f2e1897e48d696e4768c35
Instruction ID: 4aafcf79e9df5b1e45b2a177a870ca6345b98b962785206284526c69653acf5b
Opcode Fuzzy Hash: 5fc8a6e0373020b5a1b9bfadc219932539db45ea17f2e1897e48d696e4768c35
Instruction Fuzzy Hash: A191C231104206AFEB15DF18C980FAA7BECFF84714F0484A9EEC5DA196DB35E945CBA1

Function 01098D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 01019BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 01019BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 01098D5A
GetFocus.USER32 ref: 01098D6A
GetDlgCtrlID.USER32(00000000), ref: 01098D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 01098E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 01098ECF
GetMenuItemCount.USER32(?), ref: 01098EEC
GetMenuItemID.USER32(?,00000000), ref: 01098EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 01098F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 01098F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 01098FA1

Strings

0, xrefs: 01098E9F

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: c2864371352fb46d593bae778981d06dc1e4f57502f91073d9bfffb4c27c4876
Instruction ID: 728dce978c05811479a0655477da82753e20eed151aaf32f6ecb476d3598a108
Opcode Fuzzy Hash: c2864371352fb46d593bae778981d06dc1e4f57502f91073d9bfffb4c27c4876
Instruction Fuzzy Hash: 7081D271508309AFEB21CF28C8A4AAB7BE9FB8A714F04455EFAD597381D731D900DB61

Function 0106BF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(010D1990,000000FF,00000000,00000030), ref: 0106BFAC
SetMenuItemInfoW.USER32(010D1990,00000004,00000000,00000030), ref: 0106BFE1
Sleep.KERNEL32(000001F4), ref: 0106BFF3
GetMenuItemCount.USER32(?), ref: 0106C039
GetMenuItemID.USER32(?,00000000), ref: 0106C056
GetMenuItemID.USER32(?,-00000001), ref: 0106C082
GetMenuItemID.USER32(?,?), ref: 0106C0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0106C10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0106C124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0106C145

Strings

0, xrefs: 0106BF3D

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: d7997421135b47f6aa97e396933952871cf5010761d3e3b77347761fee3f7596
Instruction ID: fbda41c47e912bb6477ad00cf0fb0c5d6dac122d8de5d2c0a20a9e7ed34ccad5
Opcode Fuzzy Hash: d7997421135b47f6aa97e396933952871cf5010761d3e3b77347761fee3f7596
Instruction Fuzzy Hash: 3F6162B090024AAFFF25CF58CA88AEE7FACFB46344F044155F9D1A7281C736A945CB61

Function 0106DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0106DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0106DC46
_wcslen.LIBCMT ref: 0106DC50
_wcsstr.LIBVCRUNTIME ref: 0106DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0106DCBC

Strings

DefaultLangCodepage, xrefs: 0106DD1F
%u.%u.%u.%u, xrefs: 0106DD9A
04090000, xrefs: 0106DCF2
StringFileInfo\, xrefs: 0106DC8F
\VarFileInfo\Translation, xrefs: 0106DCB4

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 1c2a0864211fecda7f094e62ff2008cff462e49957886c155d65cc8ed90907ee
Instruction ID: 8b993c8cdf3196068e653db7148cf0ba305359f7cde922ea78a150fc4606bccd
Opcode Fuzzy Hash: 1c2a0864211fecda7f094e62ff2008cff462e49957886c155d65cc8ed90907ee
Instruction Fuzzy Hash: 29412A72A402167BEB11B7B5DC45EFF77ACEF62A20F000099F9C0E6181EB79990597A4

Function 0108CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0108CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0108CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0108CD48

Part of subcall function 0108CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0108CCAA
Part of subcall function 0108CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0108CCBD
Part of subcall function 0108CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0108CCCF
Part of subcall function 0108CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0108CD05
Part of subcall function 0108CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0108CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0108CCF3

Strings

advapi32.dll, xrefs: 0108CCB8
RegDeleteKeyExW, xrefs: 0108CCC9

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 2d56880953d74c4d401a290c6f030f52e80e131143cb7c338102e2864cd9c9ad
Instruction ID: dea03ee1705e36dfe430b31e8fe6706c19ab3d865e8982e8ccdde41a4a5c4e52
Opcode Fuzzy Hash: 2d56880953d74c4d401a290c6f030f52e80e131143cb7c338102e2864cd9c9ad
Instruction Fuzzy Hash: EE316D71905229BBE721AA55DD98EEFBFBCEF46640F0001A5F981E2204DA349A459BB0

Function 01073D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 01073D40
_wcslen.LIBCMT ref: 01073D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 01073D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 01073DBE
RemoveDirectoryW.KERNEL32(?), ref: 01073DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 01073E55
CloseHandle.KERNEL32(00000000), ref: 01073E60
CloseHandle.KERNEL32(00000000), ref: 01073E6B

Strings

:, xrefs: 01073D82
\, xrefs: 01073D77
\??\%s, xrefs: 01073D5B

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: ff1bbb28f701abb6a934c42059867ce67f9d98f1b8273c1050289affd68bd16f
Instruction ID: 3d05fe3cb1d3282a28f5933450777c2b689262354f74b9d7893575bc531e2199
Opcode Fuzzy Hash: ff1bbb28f701abb6a934c42059867ce67f9d98f1b8273c1050289affd68bd16f
Instruction Fuzzy Hash: 5931A371A0011AABEB21ABA4DD48FEF37BCFF89700F1041B6F689D6154E77496448B28

Function 0106E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0106E6B4

Part of subcall function 0101E551: timeGetTime.WINMM(?,?,0106E6D4), ref: 0101E555

Sleep.KERNEL32(0000000A), ref: 0106E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0106E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0106E727
SetActiveWindow.USER32 ref: 0106E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0106E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0106E773
Sleep.KERNEL32(000000FA), ref: 0106E77E
IsWindow.USER32 ref: 0106E78A
EndDialog.USER32(00000000), ref: 0106E79B

Strings

BUTTON, xrefs: 0106E719

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: bef3359fe1fe9d02fe2cba27a3a3d53f43082ee15445ca098ded9c40e4bccf63
Instruction ID: b94c947f8950f32ee557e96b5b6463dcef797677c395e627efd90d61c02095e6
Opcode Fuzzy Hash: bef3359fe1fe9d02fe2cba27a3a3d53f43082ee15445ca098ded9c40e4bccf63
Instruction Fuzzy Hash: 9B2193B5601305AFFB329F24ED98A293BADFB59748F104424F9C582149DB7FAC148B64

Function 0106E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 01009CB3: _wcslen.LIBCMT ref: 01009CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0106EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0106EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0106EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0106EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0106EAA7

Strings

alias PlayMe, xrefs: 0106EA36
play PlayMe, xrefs: 0106EAA2
status PlayMe mode, xrefs: 0106EA58
close PlayMe, xrefs: 0106EA6E, 0106EA9B
open , xrefs: 0106EA0C
play PlayMe wait, xrefs: 0106EA91

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 95c756efdb30d4a8dd067624b65f879f0a12e8e3c15fbf0109a56bc58545ba25
Instruction ID: 6c30d01f550e0300547311af78b28482e8af6a85221d9792fa15451094195424
Opcode Fuzzy Hash: 95c756efdb30d4a8dd067624b65f879f0a12e8e3c15fbf0109a56bc58545ba25
Instruction Fuzzy Hash: C4119E35A9021A79E721E7A6DD49DFF6BBCEFD1F00F40042DB981A61D0EEA11905CAB0

Function 01069F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 0106A012
SetKeyboardState.USER32(?), ref: 0106A07D
GetAsyncKeyState.USER32(000000A0), ref: 0106A09D
GetKeyState.USER32(000000A0), ref: 0106A0B4
GetAsyncKeyState.USER32(000000A1), ref: 0106A0E3
GetKeyState.USER32(000000A1), ref: 0106A0F4
GetAsyncKeyState.USER32(00000011), ref: 0106A120
GetKeyState.USER32(00000011), ref: 0106A12E
GetAsyncKeyState.USER32(00000012), ref: 0106A157
GetKeyState.USER32(00000012), ref: 0106A165
GetAsyncKeyState.USER32(0000005B), ref: 0106A18E
GetKeyState.USER32(0000005B), ref: 0106A19C

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 32487e7d28000d4239c181d8c7a348056cd1bd2906b98bed797d812402a1f683
Instruction ID: 405a1c056e020836b4a957edfd1598981d141f086c427400d8df4f70a4482e95
Opcode Fuzzy Hash: 32487e7d28000d4239c181d8c7a348056cd1bd2906b98bed797d812402a1f683
Instruction Fuzzy Hash: 6751E930B04788A9FB75EB6484107EBBFFC9F02384F0845C9D6C26B5C2DA64A64CC761

Function 01065CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 01065CE2
GetWindowRect.USER32(00000000,?), ref: 01065CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 01065D59
GetDlgItem.USER32(?,00000002), ref: 01065D69
GetWindowRect.USER32(00000000,?), ref: 01065D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 01065DCF
GetDlgItem.USER32(?,000003E9), ref: 01065DDD
GetWindowRect.USER32(00000000,?), ref: 01065DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 01065E31
GetDlgItem.USER32(?,000003EA), ref: 01065E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 01065E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 01065E67

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 820de60d4f02ee5cb284b8476cbe15274a8a3cdc5d1e40fdc538dc7c1351680a
Instruction ID: 9910f85b5e7443c6d0a686561ad404da6ca2fbeeeeab4cea0ebce111a7684f9c
Opcode Fuzzy Hash: 820de60d4f02ee5cb284b8476cbe15274a8a3cdc5d1e40fdc538dc7c1351680a
Instruction Fuzzy Hash: 46511C71E00205AFDF18DF68CE99AAEBBB9FB58340F508129F555E7294D774AD00CB60

Function 01018BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 01018F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,01018BE8,?,00000000,?,?,?,?,01018BBA,00000000,?), ref: 01018FC5

DestroyWindow.USER32(?), ref: 01018C81
KillTimer.USER32(00000000,?,?,?,?,01018BBA,00000000,?), ref: 01018D1B
DestroyAcceleratorTable.USER32(00000000), ref: 01056973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,01018BBA,00000000,?), ref: 010569A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,01018BBA,00000000,?), ref: 010569B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,01018BBA,00000000), ref: 010569D4
DeleteObject.GDI32(00000000), ref: 010569E6

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 1542c8bd583da560a015e74c4ff97a31755c28e971cbb8e261c918a769d3127f
Instruction ID: 88c92d8cbac920e35f5a4ba786128af71ec9bdb4083ed643293c7d0349ef96da
Opcode Fuzzy Hash: 1542c8bd583da560a015e74c4ff97a31755c28e971cbb8e261c918a769d3127f
Instruction Fuzzy Hash: 5C618E30502705DFEB769F19D648B6ABBF1FB40312F44855EE9C287568C73AAA80CF80

Function 01019838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 01019944: GetWindowLongW.USER32(?,000000EB), ref: 01019952

GetSysColor.USER32(0000000F), ref: 01019862

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 916f5f99b66dbacb15ff21496204095e7199a33c62d8f24e60c0787ac73812b5
Instruction ID: a978aa9f9fb418bd1ed77f9a21ac150b4278580996be94f093ff361ad3767e71
Opcode Fuzzy Hash: 916f5f99b66dbacb15ff21496204095e7199a33c62d8f24e60c0787ac73812b5
Instruction Fuzzy Hash: 6741A331500640EFEB315F3C98A8BBA3BA5BB06338F544655FEE2871E9C7799841DB20

Function 010696E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0104F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 01069717
LoadStringW.USER32(00000000,?,0104F7F8,00000001), ref: 01069720

Part of subcall function 01009CB3: _wcslen.LIBCMT ref: 01009CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0104F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 01069742
LoadStringW.USER32(00000000,?,0104F7F8,00000001), ref: 01069745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 01069866

Strings

Line %d:, xrefs: 010697A0
Error: , xrefs: 0106981D
Line %d (File "%s"):, xrefs: 0106978F
^ ERROR, xrefs: 010697FB
%s (%d) : ==> %s: %s %s, xrefs: 0106984A

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 5b754c5bf493f59824c370f1c25bbc4ecd3d0f6b72f71baa58b26952fd6fde5e
Instruction ID: 58ed25b06d06c6dff9a4b5bb024473e7d9acfeca5694787ba4e52cfab0a7442a
Opcode Fuzzy Hash: 5b754c5bf493f59824c370f1c25bbc4ecd3d0f6b72f71baa58b26952fd6fde5e
Instruction Fuzzy Hash: 6341607280020AAAEF16EBE0CE81DEEB77DAF24304F504065E68576191EF356F48CB61

Function 010606DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 01006B57: _wcslen.LIBCMT ref: 01006B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 010607A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 010607BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 010607DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 01060804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0106082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 01060837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0106083C

Strings

\CLSID, xrefs: 01060724
SOFTWARE\Classes\, xrefs: 0106070E
\IPC$, xrefs: 01060784

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 68c3c7d06a331eb16e0852783ee90ba42eeb8f59792c049c0fed42ac9304f4f9
Instruction ID: c00c518700d7404fe603a527daacb3aa9dcd7a8a8393b37624830764557213f1
Opcode Fuzzy Hash: 68c3c7d06a331eb16e0852783ee90ba42eeb8f59792c049c0fed42ac9304f4f9
Instruction Fuzzy Hash: 75412972D10229AFEF26EBA4DC948EDB7B8FF54750F444169E981A7190EB315A04CBA0

Function 01093F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0109403B
CreateCompatibleDC.GDI32(00000000), ref: 01094042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 01094055
SelectObject.GDI32(00000000,00000000), ref: 0109405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 01094068
DeleteDC.GDI32(00000000), ref: 01094072
GetWindowLongW.USER32(?,000000EC), ref: 0109407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 01094092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 0109409E

Strings

static, xrefs: 01093FD3

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 9b0f7e1db002376291b65c1c5ee2af70a1820d9ddead97c03a7556ab663543f6
Instruction ID: 6cda405ed088e2d5969c79a1cd5be12cc70378a11dd3a3d0b9272a2b0cec8888
Opcode Fuzzy Hash: 9b0f7e1db002376291b65c1c5ee2af70a1820d9ddead97c03a7556ab663543f6
Instruction Fuzzy Hash: 43316132501215ABEF229F68CD18FDA3BA9FF0D324F010215FA94E6190C776D851EB94

Function 01083C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 01083C5C
CoInitialize.OLE32(00000000), ref: 01083C8A
CoUninitialize.OLE32 ref: 01083C94
_wcslen.LIBCMT ref: 01083D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 01083DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 01083ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 01083F0E
CoGetObject.OLE32(?,00000000,0109FB98,?), ref: 01083F2D
SetErrorMode.KERNEL32(00000000), ref: 01083F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 01083FC4
VariantClear.OLEAUT32(?), ref: 01083FD8

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 71f15e2940b69bc6a62c1908d8b176b9a84779a8f44eb42f6037ab3c9f88f90b
Instruction ID: f7062f19f180ba3fd865303ab577262702e32508ce97215b60c29c96ca6277e5
Opcode Fuzzy Hash: 71f15e2940b69bc6a62c1908d8b176b9a84779a8f44eb42f6037ab3c9f88f90b
Instruction Fuzzy Hash: 15C134716083059FD710EF68C88496BBBE9FF89A48F00495DF9CA9B251DB31ED05CB92

Function 01077A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 01077AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 01077B8F
SHGetDesktopFolder.SHELL32(?), ref: 01077BA3
CoCreateInstance.OLE32(0109FD08,00000000,00000001,010C6E6C,?), ref: 01077BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 01077C74
CoTaskMemFree.OLE32(?,?), ref: 01077CCC
SHBrowseForFolderW.SHELL32(?), ref: 01077D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 01077D7A
CoTaskMemFree.OLE32(00000000), ref: 01077D81
CoTaskMemFree.OLE32(00000000), ref: 01077DD6
CoUninitialize.OLE32 ref: 01077DDC

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: fc99be40cc24c5935010392e878f06605191179f3ee44f4babf7e2988fedac08
Instruction ID: fef9f6d73521734822b99c08a308628a6dd9fbbae9197b374fa8806565823173
Opcode Fuzzy Hash: fc99be40cc24c5935010392e878f06605191179f3ee44f4babf7e2988fedac08
Instruction Fuzzy Hash: 7FC13B75A00109AFDB14DFA4C888DAEBBF9FF48354F148498E5599B351DB31ED41CB90

Function 0109541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 01095504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 01095515
CharNextW.USER32(00000158), ref: 01095544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 01095585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0109559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 010955AC

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 5ebbaee74a392703e3c53d25142e613c4a2a6e7f4715579b4bfaca237582bd0e
Instruction ID: 676030e7bcadd4ec5e44b41871a1917b92f0ea09e5dddfe20d8e9b039d21ee79
Opcode Fuzzy Hash: 5ebbaee74a392703e3c53d25142e613c4a2a6e7f4715579b4bfaca237582bd0e
Instruction Fuzzy Hash: 2C61C531904209AFEF62CF56CCA49FE7BB9FF0A724F004046F6A597291D7349641EB60

Function 0105FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0105FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0105FB08
VariantInit.OLEAUT32(?), ref: 0105FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0105FB3A
VariantCopy.OLEAUT32(?,?), ref: 0105FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0105FBA1
VariantClear.OLEAUT32(?), ref: 0105FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0105FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0105FBCC
VariantClear.OLEAUT32(?), ref: 0105FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0105FBE9

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: c2671c49af6fc12fb6e485f88a9e17402c7f96c0bde068bfbf15690e857e6ceb
Instruction ID: 9a05d21f510da98886da054c5274855d47e43eb5c55ea3f725c5d544d0d78302
Opcode Fuzzy Hash: c2671c49af6fc12fb6e485f88a9e17402c7f96c0bde068bfbf15690e857e6ceb
Instruction Fuzzy Hash: C1415E75E0021ADFEB10DF68C9549EEBBB9FF48344F008069E985A7250CB39AD45CFA1

Function 01069C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 01069CA1
GetAsyncKeyState.USER32(000000A0), ref: 01069D22
GetKeyState.USER32(000000A0), ref: 01069D3D
GetAsyncKeyState.USER32(000000A1), ref: 01069D57
GetKeyState.USER32(000000A1), ref: 01069D6C
GetAsyncKeyState.USER32(00000011), ref: 01069D84
GetKeyState.USER32(00000011), ref: 01069D96
GetAsyncKeyState.USER32(00000012), ref: 01069DAE
GetKeyState.USER32(00000012), ref: 01069DC0
GetAsyncKeyState.USER32(0000005B), ref: 01069DD8
GetKeyState.USER32(0000005B), ref: 01069DEA

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: c16899527a8f383eadf583b67ba4109faf2b679d9e43cbd90a3cc590aa887305
Instruction ID: 0bcf2e43b118fc640923668905042e8daad61f1412b1407bdeeca0ec04ccb518
Opcode Fuzzy Hash: c16899527a8f383eadf583b67ba4109faf2b679d9e43cbd90a3cc590aa887305
Instruction Fuzzy Hash: A341E5309047C96DFFB2966889143B5BEE86F1131CF0480EECAC6569C3DBB591C8C7A2

Function 0108055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 010805BC
inet_addr.WSOCK32(?), ref: 0108061C
gethostbyname.WSOCK32(?), ref: 01080628
IcmpCreateFile.IPHLPAPI ref: 01080636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 010806C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 010806E5
IcmpCloseHandle.IPHLPAPI(?), ref: 010807B9
WSACleanup.WSOCK32 ref: 010807BF

Strings

Ping, xrefs: 01080676

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 1c553c43844526740dc1347ccea416b679134bc319e1273d8764adcad6e233d2
Instruction ID: 3b950cdee72797ed14aa20eed2c74bcbbbb34773a67d7c0dbd283865d8c90258
Opcode Fuzzy Hash: 1c553c43844526740dc1347ccea416b679134bc319e1273d8764adcad6e233d2
Instruction Fuzzy Hash: 159192759082419FE320EF19C588F1ABBE0BF44318F0485A9F5E98B6A5C735ED49CF91

Function 01088CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 01088CF3

Part of subcall function 01068E54: _wcslen.LIBCMT ref: 01068E77

_wcslen.LIBCMT ref: 01088D4E
_wcslen.LIBCMT ref: 01088D9C
_wcslen.LIBCMT ref: 01088DDC
_wcslen.LIBCMT ref: 01088E6E

Strings

cdecl, xrefs: 01088D48, 01088D4D
stdcall, xrefs: 01088DD6, 01088DDB
none, xrefs: 01088E65, 01088E6A
winapi, xrefs: 01088D96, 01088D9B

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: bbf2f90a990f16b562664e666857f7b78448a80173c1c27b7b7b9b3be264c184
Instruction ID: 76edb01c81635271073775a090c068fab25b15a7ff19b6f99a3a84a8f461e68d
Opcode Fuzzy Hash: bbf2f90a990f16b562664e666857f7b78448a80173c1c27b7b7b9b3be264c184
Instruction Fuzzy Hash: 8451D331A081179BCB15EF6CC8408BEB7E5BF64724BA0826AE5E6E72C5DB31DD40C790

Function 0108372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 01083774
CoUninitialize.OLE32 ref: 0108377F
CoCreateInstance.OLE32(?,00000000,00000017,0109FB78,?), ref: 010837D9
IIDFromString.OLE32(?,?), ref: 0108384C
VariantInit.OLEAUT32(?), ref: 010838E4
VariantClear.OLEAUT32(?), ref: 01083936

Strings

Failed to create object, xrefs: 010837E4, 0108389A
NULL Pointer assignment, xrefs: 0108381E
Invalid parameter, xrefs: 01083865

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 8aa69ad506ee0e01b5aa4866767c3f25c0429b4e0ed2548660d1c44fa1cd8941
Instruction ID: 965f935cb475cb56b704023bb7f491c198590da7270c861435d9fc069d351793
Opcode Fuzzy Hash: 8aa69ad506ee0e01b5aa4866767c3f25c0429b4e0ed2548660d1c44fa1cd8941
Instruction Fuzzy Hash: 69616D70608702AFD721EF54C948B9EBBE8BF89B14F004859F5C59B291D774E948CB92

Function 01073388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 010733CF

Part of subcall function 01009CB3: _wcslen.LIBCMT ref: 01009CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 010733F0

Strings

Error: , xrefs: 010734D1
^ ERROR , xrefs: 0107349E
Line %d (File "%s"):, xrefs: 01073443, 0107345C
"%s" (%d) : ==> %s:, xrefs: 01073522
"%s" (%d) : ==> %s:%s%s, xrefs: 01073504
Incorrect parameters to object property !, xrefs: 010734AB

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 517c5b71ce445f772886698f87bc6a9c56fff5e68ddd93c552a247e1d76f68fb
Instruction ID: 77086db888517287ba24db6ba87447e124f4fa23af447b052ea2f297d8f55ff2
Opcode Fuzzy Hash: 517c5b71ce445f772886698f87bc6a9c56fff5e68ddd93c552a247e1d76f68fb
Instruction Fuzzy Hash: 9851A071D0020AAAEF16EBA0CD41EEEB779BF24744F104065E58576191EF362F58DF60

Function 0106B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0106B5FC
_wcslen.LIBCMT ref: 0106B608
_wcslen.LIBCMT ref: 0106B64D
_wcslen.LIBCMT ref: 0106B68C
_wcslen.LIBCMT ref: 0106B6C7

Strings

KEYS, xrefs: 0106B647, 0106B64C
APPEND, xrefs: 0106B6C1, 0106B6C6
EXISTS, xrefs: 0106B686, 0106B68B
REMOVE, xrefs: 0106B602, 0106B607

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 88bd87a623ca1e0d568f5b86a81b8c369060bdfa60396dd09d3b4a1717cb506d
Instruction ID: 14c1dd346e9d35bfc42f90dcfbd23521befd74ba2cc6ccbd8271c8a9415c90a0
Opcode Fuzzy Hash: 88bd87a623ca1e0d568f5b86a81b8c369060bdfa60396dd09d3b4a1717cb506d
Instruction Fuzzy Hash: CB4126B2B000278ACB205F7DC8905BE7BEDBF64A54B154269F5E1D7284F639CD81C790

Function 01075393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 010753A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 01075416
GetLastError.KERNEL32 ref: 01075420
SetErrorMode.KERNEL32(00000000,READY), ref: 010754A7

Strings

READONLY, xrefs: 01075452
READY, xrefs: 01075460, 01075468
INVALID, xrefs: 01075459
NOTREADY, xrefs: 0107544B
UNKNOWN, xrefs: 01075444

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 37d8c82a18a219061100e7019adf21d951b261a031c26d5668447ef4d41857bc
Instruction ID: 934217cca73e04e396ea8338cf7f4e74769de024f00587defbbafac15295fa27
Opcode Fuzzy Hash: 37d8c82a18a219061100e7019adf21d951b261a031c26d5668447ef4d41857bc
Instruction Fuzzy Hash: F7319E35E001059FEB51DF68C884AEE7BF4FF05309F048099E586CB292DB71E942CB94

Function 01093C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 01093C79
SetMenu.USER32(?,00000000), ref: 01093C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01093D10
IsMenu.USER32(?), ref: 01093D24
CreatePopupMenu.USER32 ref: 01093D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 01093D5B
DrawMenuBar.USER32 ref: 01093D63

Strings

F, xrefs: 01093D4E
0, xrefs: 01093C54

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 487c8c13cfcc2fe4d366a35c9a3ac9a681dc82ccf808a8be5559f6f2bd34a909
Instruction ID: affabef75e9cb69bd6099d94ed4fb2fba8fbfae34cf248fa23fcc747f5e6cb97
Opcode Fuzzy Hash: 487c8c13cfcc2fe4d366a35c9a3ac9a681dc82ccf808a8be5559f6f2bd34a909
Instruction Fuzzy Hash: 42419FB4A02209EFEF24DF64E964ADA7BF5FF49300F040068EA869B350D735A910DF54

Function 01061EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 01009CB3: _wcslen.LIBCMT ref: 01009CBD

Part of subcall function 01063CA7: GetClassNameW.USER32(?,?,000000FF), ref: 01063CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 01061F64
GetDlgCtrlID.USER32 ref: 01061F6F
GetParent.USER32 ref: 01061F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 01061F8E
GetDlgCtrlID.USER32(?), ref: 01061F97
GetParent.USER32(?), ref: 01061FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 01061FAE

Strings

ListBox, xrefs: 01061F21
ComboBox, xrefs: 01061EEC

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 46b3f688e50e5461fabf6c7c46f14d3eaf72c13fe5aa17713b2b660d2f78f0e2
Instruction ID: 2c75d2b613a65fc0382890c5b32fb1b1951b4ab5ea82b938f82e38eaba560a42
Opcode Fuzzy Hash: 46b3f688e50e5461fabf6c7c46f14d3eaf72c13fe5aa17713b2b660d2f78f0e2
Instruction Fuzzy Hash: 7721D074E00218BBEF11AFA0CC94DEEBBB8BF69310F000149B9A5672D4CB3965049BA0

Function 01061FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 01009CB3: _wcslen.LIBCMT ref: 01009CBD

Part of subcall function 01063CA7: GetClassNameW.USER32(?,?,000000FF), ref: 01063CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 01062043
GetDlgCtrlID.USER32 ref: 0106204E
GetParent.USER32 ref: 0106206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0106206D
GetDlgCtrlID.USER32(?), ref: 01062076
GetParent.USER32(?), ref: 0106208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0106208D

Strings

ListBox, xrefs: 01062002
ComboBox, xrefs: 01061FCD

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 89e0138bef78ce1f80e6ff044f0e6077e2ed3d7c947a0db94205dba7b7fdba56
Instruction ID: 941298560d9e6306701c73672ef91f4e5470051b6369a3833315dfd2efd7bdc9
Opcode Fuzzy Hash: 89e0138bef78ce1f80e6ff044f0e6077e2ed3d7c947a0db94205dba7b7fdba56
Instruction Fuzzy Hash: 2B21CFB5E00218BBEF11AFA4CC84EEEBFB9BF18300F004045B9D5A7296CA795514DBA0

Function 01093A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 01093A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 01093AA0
GetWindowLongW.USER32(?,000000F0), ref: 01093AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 01093AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 01093B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 01093BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 01093BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 01093BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 01093BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 01093C13

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: d1df78be1e1585ac702abca26c571b5f023fb3f4412682cce99f43885f44f790
Instruction ID: fdb69e02f1b023edbd6454dc0801e38f06feed00425a51c29cb510234e0d4a8b
Opcode Fuzzy Hash: d1df78be1e1585ac702abca26c571b5f023fb3f4412682cce99f43885f44f790
Instruction Fuzzy Hash: D1616B75900248AFDB20DFA8CC91EEEB7F8FB09700F104199FA95AB291D774A945DF50

Function 0106B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0106B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0106A1E1,?,00000001), ref: 0106B165
GetWindowThreadProcessId.USER32(00000000), ref: 0106B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0106A1E1,?,00000001), ref: 0106B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0106B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0106A1E1,?,00000001), ref: 0106B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0106A1E1,?,00000001), ref: 0106B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0106A1E1,?,00000001), ref: 0106B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0106A1E1,?,00000001), ref: 0106B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0106A1E1,?,00000001), ref: 0106B21D

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 5cfe3e5b2fb52776d831ef3a5425833fe6bc4739e1827b7f2dfc8d30a4fbaaf4
Instruction ID: 8f522a8d4d28ebf0091f778237d75dc8bdf8b31c48610fb26b3bab1d0e8ca329
Opcode Fuzzy Hash: 5cfe3e5b2fb52776d831ef3a5425833fe6bc4739e1827b7f2dfc8d30a4fbaaf4
Instruction Fuzzy Hash: 9631CEF1A00204FFEB359F28D958B6E7FEDBB45315F108054FA80DA184D7BAA9008F61

Function 01032C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 01032C94

Part of subcall function 010329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0103D7D1,00000000,00000000,00000000,00000000,?,0103D7F8,00000000,00000007,00000000,?,0103DBF5,00000000), ref: 010329DE
Part of subcall function 010329C8: GetLastError.KERNEL32(00000000,?,0103D7D1,00000000,00000000,00000000,00000000,?,0103D7F8,00000000,00000007,00000000,?,0103DBF5,00000000,00000000), ref: 010329F0

_free.LIBCMT ref: 01032CA0
_free.LIBCMT ref: 01032CAB
_free.LIBCMT ref: 01032CB6
_free.LIBCMT ref: 01032CC1
_free.LIBCMT ref: 01032CCC
_free.LIBCMT ref: 01032CD7
_free.LIBCMT ref: 01032CE2
_free.LIBCMT ref: 01032CED
_free.LIBCMT ref: 01032CFB

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 85ed5455c1a119b347f380d57fe55df1422e7f19326cb655411496bc484f966d
Instruction ID: 51ad6cd0b4e9dfe2011202ef74d5887e9cdc5d78b0464796d85a7cff598349a1
Opcode Fuzzy Hash: 85ed5455c1a119b347f380d57fe55df1422e7f19326cb655411496bc484f966d
Instruction Fuzzy Hash: 6711C876100119BFCB02EF94E880CDD3BB9FF55390B8145A6FA889F231DA31EE509B90

Function 01077DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 01077FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 01077FC1
GetFileAttributesW.KERNEL32(?), ref: 01077FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 01078005
SetCurrentDirectoryW.KERNEL32(?), ref: 01078017
SetCurrentDirectoryW.KERNEL32(?), ref: 01078060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 010780B0

Strings

*.*, xrefs: 01078066

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: a77f20c71385d14fcf8295d610b195a40f264f041d8ed0d10c48edd0b685a963
Instruction ID: d2d67e3fcbe9b3874b2e0df49965d14f68b051b1f603afecb152af9368d367cd
Opcode Fuzzy Hash: a77f20c71385d14fcf8295d610b195a40f264f041d8ed0d10c48edd0b685a963
Instruction Fuzzy Hash: 8A81D2729043419BEB61DF18C4489AEB7E8BF88354F048C5EF9C5C7250E775E944CB96

Function 01005BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 01005C7A

Part of subcall function 01005D0A: GetClientRect.USER32(?,?), ref: 01005D30
Part of subcall function 01005D0A: GetWindowRect.USER32(?,?), ref: 01005D71
Part of subcall function 01005D0A: ScreenToClient.USER32(?,?), ref: 01005D99

GetDC.USER32 ref: 010446F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 01044708
SelectObject.GDI32(00000000,00000000), ref: 01044716
SelectObject.GDI32(00000000,00000000), ref: 0104472B
ReleaseDC.USER32(?,00000000), ref: 01044733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 010447C4

Strings

U, xrefs: 01044693

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 5272e012d7f459de6f46d234363ee618d036b35333b113769f20393ea6e5fa3a
Instruction ID: 17ecfc1f60c7c8fc2eab5008f00fff4819071e389fe8f7b8aedb780f1d96d86f
Opcode Fuzzy Hash: 5272e012d7f459de6f46d234363ee618d036b35333b113769f20393ea6e5fa3a
Instruction Fuzzy Hash: 7971BFB1400209DFEF22CF68C9C4ABA7BB5FF49350F1442B9EAD59A19AC7319842CF51

Function 0107359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 010735E4

Part of subcall function 01009CB3: _wcslen.LIBCMT ref: 01009CBD

LoadStringW.USER32(010D2390,?,00000FFF,?), ref: 0107360A

Strings

Error: , xrefs: 010736EF
Line %d (File "%s"):, xrefs: 0107366B
"%s" (%d) : ==> %s:, xrefs: 01073742
^ ERROR, xrefs: 010736C9
"%s" (%d) : ==> %s:%s%s, xrefs: 01073724

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 7b5476cad584ea3d5364ba416228f9947e2e519168eaf6f85a382d389cca9051
Instruction ID: a4d9d6610198e8736d0bf88cf5a9948b8b054e9571b663921eedd981e2b69898
Opcode Fuzzy Hash: 7b5476cad584ea3d5364ba416228f9947e2e519168eaf6f85a382d389cca9051
Instruction Fuzzy Hash: 8E517F71D0020AABEF26EBA4CC41EEEBB79BF24304F448165E58576191DF311A99DFA0

Function 01098B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 01019BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 01019BB2

Part of subcall function 0101912D: GetCursorPos.USER32(?), ref: 01019141
Part of subcall function 0101912D: ScreenToClient.USER32(00000000,?), ref: 0101915E
Part of subcall function 0101912D: GetAsyncKeyState.USER32(00000001), ref: 01019183
Part of subcall function 0101912D: GetAsyncKeyState.USER32(00000002), ref: 0101919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 01098B6B
ImageList_EndDrag.COMCTL32 ref: 01098B71
ReleaseCapture.USER32 ref: 01098B77
SetWindowTextW.USER32(?,00000000), ref: 01098C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 01098C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 01098CFF

Strings

@GUI_DROPID, xrefs: 01098C51
@GUI_DRAGFILE, xrefs: 01098C9A

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 574a6cb43360cc8b95443b6c2298607d328d213c87cbb1294df44dda8ea066d4
Instruction ID: 0216950a683802042b5e2605d62ecfd823a5e460ea86257590df713191f8b5ec
Opcode Fuzzy Hash: 574a6cb43360cc8b95443b6c2298607d328d213c87cbb1294df44dda8ea066d4
Instruction Fuzzy Hash: DD51CA70604349AFEB10DF24C9A5FAA77E4FB88714F40062DF9D6A72D1CB359904CB62

Function 0107C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0107C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0107C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0107C2CA
GetLastError.KERNEL32 ref: 0107C322
SetEvent.KERNEL32(?), ref: 0107C336
InternetCloseHandle.WININET(00000000), ref: 0107C341

Strings

, xrefs: 0107C2BB

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 32e28654e5d749f40a7651ad06530b5a7874bb0d92f8c135b46ff3cf60e44b33
Instruction ID: 83e09301072f2b1a7befd83d055105c056c94776934577c46bf44877174bce00
Opcode Fuzzy Hash: 32e28654e5d749f40a7651ad06530b5a7874bb0d92f8c135b46ff3cf60e44b33
Instruction Fuzzy Hash: 063180B190060AAFF7719F648A88AAF7BFCFB49644B04851DE4CAD2200DB35DA058B64

Function 0106989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,01043AAF,?,?,Bad directive syntax error,0109CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 010698BC
LoadStringW.USER32(00000000,?,01043AAF,?), ref: 010698C3

Part of subcall function 01009CB3: _wcslen.LIBCMT ref: 01009CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 01069987

Strings

Line %d:, xrefs: 01069912
Line %d (File "%s"):, xrefs: 0106992D
Error: , xrefs: 01069955
%s (%d) : ==> %s.: %s %s, xrefs: 010698F1
., xrefs: 0106996D

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 2bed891819e3e2d1e787b71065ab1f44e26101844701bc01dc897bb1b289991d
Instruction ID: 58b3683dee952002c63c4b3e6fdbc57b325c7e29ec03ff8bff5743dac5e4bc3e
Opcode Fuzzy Hash: 2bed891819e3e2d1e787b71065ab1f44e26101844701bc01dc897bb1b289991d
Instruction Fuzzy Hash: CA217E31C0021BAFDF22AF90CC46EEE7779BF28704F044459F59566191EB35A618DB60

Function 0106209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 010620AB
GetClassNameW.USER32(00000000,?,00000100), ref: 010620C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0106214D

Strings

largeicons, xrefs: 010620E1
details, xrefs: 010620FB
SHELLDLL_DefView, xrefs: 010620CC
list, xrefs: 0106212F
smallicons, xrefs: 01062115

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 97b1ea2af6fe920251999654433fbdc685e4e2b2af0b08a9b4ae22a3e9bf0400
Instruction ID: 1924898d086e28a1da783b65c0c427f0a0088423dc52390910691ca00f6c31ec
Opcode Fuzzy Hash: 97b1ea2af6fe920251999654433fbdc685e4e2b2af0b08a9b4ae22a3e9bf0400
Instruction Fuzzy Hash: 5411067E68C317FAF6126225DC06DEA77DCDB29724B10005AFBC4ED091FEA5B8424A54

Function 01038D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fb1e1a6b1c7be254cc4623c839d002e6afa09457bf00ecb71a08d8eb4f97dbc
Instruction ID: 9a8d49a2ea2a74a99d6dfc3a32c70db0a48a5ee0596287bb680922571eb95275
Opcode Fuzzy Hash: 1fb1e1a6b1c7be254cc4623c839d002e6afa09457bf00ecb71a08d8eb4f97dbc
Instruction Fuzzy Hash: FBC1E27490424A9FDB119FACC844BEDBFF8AF8A314F0441CAF998A7392C7758941CB61

Function 0103CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0103CEB7
_free.LIBCMT ref: 0103CF22
_free.LIBCMT ref: 0103CF48
_free.LIBCMT ref: 0103CF71
_free.LIBCMT ref: 0103CFA9
_free.LIBCMT ref: 0103CFDA
_free.LIBCMT ref: 0103D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0103D09C
_free.LIBCMT ref: 0103D0B5

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 1bc166350f77b18a4382f53a1548a9fe64780db85c4191ca16902b84274dd87f
Instruction ID: 6bef6080306b59a2a646fa5cf6c6818f839b23f76d07bb813a651552c4be54d2
Opcode Fuzzy Hash: 1bc166350f77b18a4382f53a1548a9fe64780db85c4191ca16902b84274dd87f
Instruction Fuzzy Hash: 55610771905316AFEB22BFB89980AAD7BECEF85350F0441AFFAC4E7245D6369901C750

Function 010950D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 01095186
ShowWindow.USER32(?,00000000), ref: 010951C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 010951CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 010951D1

Part of subcall function 01096FBA: DeleteObject.GDI32(00000000), ref: 01096FE6

GetWindowLongW.USER32(?,000000F0), ref: 0109520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0109521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0109524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 01095287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 01095296

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 8b2a2caaf87579c3526d0af8dad46f0ecf5c5938222cc12f0ee65fdfdb811fe0
Instruction ID: f2bff4e3a81b83b5a7cededdebddfe9a2ab4a0ddb242706b0e0ed885951e9284
Opcode Fuzzy Hash: 8b2a2caaf87579c3526d0af8dad46f0ecf5c5938222cc12f0ee65fdfdb811fe0
Instruction Fuzzy Hash: FA51C370A40209BFFF329F2ACC65BD83BA5FB06325F144093F6A5962D0D776A580EB41

Function 01018B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 01056890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 010568A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 010568B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 010568D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 010568F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,01018874,00000000,00000000,00000000,000000FF,00000000), ref: 01056901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0105691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,01018874,00000000,00000000,00000000,000000FF,00000000), ref: 0105692D

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 3a138852e770335a8e88d03c62cc62840a82674bd6010b79923363b823c1458c
Instruction ID: bc878accec71dacbf35badd5b3f0ade47ba0d81a678142850d3eb50c3aa1213c
Opcode Fuzzy Hash: 3a138852e770335a8e88d03c62cc62840a82674bd6010b79923363b823c1458c
Instruction Fuzzy Hash: EC518EB0A00205EFEB61CF28C895BAA7BF5FF48750F104519F98697294DB76EA90CB50

Function 0107C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0107C182
GetLastError.KERNEL32 ref: 0107C195
SetEvent.KERNEL32(?), ref: 0107C1A9

Part of subcall function 0107C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0107C272
Part of subcall function 0107C253: GetLastError.KERNEL32 ref: 0107C322
Part of subcall function 0107C253: SetEvent.KERNEL32(?), ref: 0107C336
Part of subcall function 0107C253: InternetCloseHandle.WININET(00000000), ref: 0107C341

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 5c33c69a4eae63af34096886fefdf2d5acf9cc937adfb370960ee6238966fe3d
Instruction ID: 926325ebe72e6cb20bb59b747cce7637e8ec00ef740287db30db95d7c51c7235
Opcode Fuzzy Hash: 5c33c69a4eae63af34096886fefdf2d5acf9cc937adfb370960ee6238966fe3d
Instruction Fuzzy Hash: 8231B271900642AFFB219FA9DA04A6ABBF8FF18200B00446DF9DA82600C735E911DB64

Function 010625A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 01063A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 01063A57
Part of subcall function 01063A3D: GetCurrentThreadId.KERNEL32 ref: 01063A5E
Part of subcall function 01063A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,010625B3), ref: 01063A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 010625BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 010625DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 010625DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 010625E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 01062601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 01062605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0106260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 01062623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 01062627

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: c162642839bbd8b290e77c463a0d512a727732a350190eb50cda140a1139ce9d
Instruction ID: c54da0713677b68b51ab36c9efc6e947f8f074ed4a726b4c159a50951896607a
Opcode Fuzzy Hash: c162642839bbd8b290e77c463a0d512a727732a350190eb50cda140a1139ce9d
Instruction Fuzzy Hash: EF01D870B90210BBFB2066699C9AF593F5DEF4EB51F100011F398AE0C4C9F22444CBA9

Function 01061803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,01061449,?,?,00000000), ref: 0106180C
HeapAlloc.KERNEL32(00000000,?,01061449,?,?,00000000), ref: 01061813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,01061449,?,?,00000000), ref: 01061828
GetCurrentProcess.KERNEL32(?,00000000,?,01061449,?,?,00000000), ref: 01061830
DuplicateHandle.KERNEL32(00000000,?,01061449,?,?,00000000), ref: 01061833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,01061449,?,?,00000000), ref: 01061843
GetCurrentProcess.KERNEL32(01061449,00000000,?,01061449,?,?,00000000), ref: 0106184B
DuplicateHandle.KERNEL32(00000000,?,01061449,?,?,00000000), ref: 0106184E
CreateThread.KERNEL32(00000000,00000000,01061874,00000000,00000000,00000000), ref: 01061868

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 1a48a2551054b48fdc724521285d4d2c3cf458602293199218411286bff8b5da
Instruction ID: 2a80fcfa26d99b5341216b840568b8b49d79c5cd12851f54b5d9f5fe203a29bd
Opcode Fuzzy Hash: 1a48a2551054b48fdc724521285d4d2c3cf458602293199218411286bff8b5da
Instruction Fuzzy Hash: D701ACB5640304BFF620AB65DD49F5B3B6CFB89B11F404411FA45DB195C67598008B34

Function 0108A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0106D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0106D501
Part of subcall function 0106D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0106D50F
Part of subcall function 0106D4DC: CloseHandle.KERNELBASE(00000000), ref: 0106D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0108A16D
GetLastError.KERNEL32 ref: 0108A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0108A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0108A268
GetLastError.KERNEL32(00000000), ref: 0108A273
CloseHandle.KERNEL32(00000000), ref: 0108A2C4

Strings

SeDebugPrivilege, xrefs: 0108A18F

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: aa075e116bdddb79de6db3a1b4c3813f63a65229294960a041cda71b1ac19b1d
Instruction ID: 024c99738988230238818e53602cf9720782b29a197eb92cdcdaedd0ca0c6969
Opcode Fuzzy Hash: aa075e116bdddb79de6db3a1b4c3813f63a65229294960a041cda71b1ac19b1d
Instruction Fuzzy Hash: 7661C070208242DFE721EF18C494F6ABBE1AF54318F14848DE5E68BB92C776ED45CB91

Function 01093886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 01093925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0109393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 01093954
_wcslen.LIBCMT ref: 01093999
SendMessageW.USER32(?,00001057,00000000,?), ref: 010939C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 010939F4

Strings

SysListView32, xrefs: 010938F7

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: b234ff9ea6d673ea6cda90a015f30133ee95732f160d9568425c65fbbc6e7ea6
Instruction ID: 6b7d958eaf89f58764fb0487b27053b9e37adac4a6794676cab945885e3451de
Opcode Fuzzy Hash: b234ff9ea6d673ea6cda90a015f30133ee95732f160d9568425c65fbbc6e7ea6
Instruction Fuzzy Hash: 03419371A00319ABEF219F64CC55BEE7BA9FF08350F10056AF998EB281D7759980DF90

Function 0106BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0106BCFD
IsMenu.USER32(00000000), ref: 0106BD1D
CreatePopupMenu.USER32 ref: 0106BD53
GetMenuItemCount.USER32(00B94AF8), ref: 0106BDA4
InsertMenuItemW.USER32(00B94AF8,?,00000001,00000030), ref: 0106BDCC

Strings

0, xrefs: 0106BCA8
2, xrefs: 0106BD37

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 2448b27a3d45389b4cd0edeb70fd1c10da32c128eb85ca79678755786bfea033
Instruction ID: 08c38e943ddb8caffd516adff25f7280a5191ac7eb7eec233c7ff91f7897d6fe
Opcode Fuzzy Hash: 2448b27a3d45389b4cd0edeb70fd1c10da32c128eb85ca79678755786bfea033
Instruction Fuzzy Hash: 1651AEB0B002059BEB21EFA8C984BAEBFFCBF65314F144199E581DB291E7709941CB52

Function 0106C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0106C913

Strings

warning, xrefs: 0106C8FC
blank, xrefs: 0106C895
stop, xrefs: 0106C8E4
info, xrefs: 0106C8B4
question, xrefs: 0106C8CC

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: cd1b77113d9b85605fad83389981d9c4bfe8ff17e903877ad9015157a717779a
Instruction ID: e240e296f8f9e8ecd613039e336d89748c58721f27704e926c70bc11719cdc18
Opcode Fuzzy Hash: cd1b77113d9b85605fad83389981d9c4bfe8ff17e903877ad9015157a717779a
Instruction Fuzzy Hash: 74113A32649307BEF7159B589D86CEE67DCEF15760B10006FF9C4EA282E7B15E004674

Function 0106DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0106DE42
gethostname.WSOCK32(?,00000100), ref: 0106DE5C
gethostbyname.WSOCK32(?), ref: 0106DE69
inet_ntoa.WSOCK32(?), ref: 0106DEAB
_strcat.LIBCMT ref: 0106DEB9
WSACleanup.WSOCK32 ref: 0106DEDE

Strings

0.0.0.0, xrefs: 0106DE87

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 89d2846f4a71fdd2c245b1d4a6c785979b85d425360d11ebca131fa9fe256d06
Instruction ID: 39cb316b1659565bbf6b01adcfeb403ab21ee81184d13e92983b4b0101c2c73e
Opcode Fuzzy Hash: 89d2846f4a71fdd2c245b1d4a6c785979b85d425360d11ebca131fa9fe256d06
Instruction Fuzzy Hash: BE11E971A04115AFDB30BBA4DD49EEF77ACEF21711F0401A9E5C5E6084EFB58A818BA0

Function 01099F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 01019BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 01019BB2

GetSystemMetrics.USER32(0000000F), ref: 01099FC7
GetSystemMetrics.USER32(0000000F), ref: 01099FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0109A224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0109A242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0109A263
ShowWindow.USER32(00000003,00000000), ref: 0109A282
InvalidateRect.USER32(?,00000000,00000001), ref: 0109A2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 0109A2CA

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: eae28724ae2af6c0b817df7ccb51fa51c095e2eaa5d8efa04199da595d2d9fc7
Instruction ID: e3a06ab6d669caafda194c731f4364df0adaa0f352de4803c98c4850edaf3030
Opcode Fuzzy Hash: eae28724ae2af6c0b817df7ccb51fa51c095e2eaa5d8efa04199da595d2d9fc7
Instruction Fuzzy Hash: BAB19A31600225DBEF14CF6CC9A57AE7BF2FF48741F0880A9ED859B289D735A940DB60

Function 0106ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0106ED2A
_wcslen.LIBCMT ref: 0106ED3B
_wcslen.LIBCMT ref: 0106ED79
_wcslen.LIBCMT ref: 0106EDAF
_wcslen.LIBCMT ref: 0106EDDF
_wcslen.LIBCMT ref: 0106EDEF
_wcslen.LIBCMT ref: 0106EE2B
_wcslen.LIBCMT ref: 0106EE5A

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 6734b14b8b4e35c44b13ba263b81877e3b8932883e454658772047a5da2a3f7b
Instruction ID: 0639450b3616670f988d737e6fd4af90f84a94e6eba9d9907662fa565c8d8619
Opcode Fuzzy Hash: 6734b14b8b4e35c44b13ba263b81877e3b8932883e454658772047a5da2a3f7b
Instruction Fuzzy Hash: 8F41C565D1022975CB11EBF4CC899CFB7ACAF66610F508462E698E3120FB34E255C3E5

Function 0101F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0105682C,00000004,00000000,00000000), ref: 0101F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0105682C,00000004,00000000,00000000), ref: 0105F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0105682C,00000004,00000000,00000000), ref: 0105F454

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: cd56bbb9660eee4e35d8e86fea73dcdd085d31acdce275d28d912433c6a5d99f
Instruction ID: 46eb667180b718536179ba3b889ba9e99f8eaf22ee2c5127c9c0ad53c1a07076
Opcode Fuzzy Hash: cd56bbb9660eee4e35d8e86fea73dcdd085d31acdce275d28d912433c6a5d99f
Instruction Fuzzy Hash: D5413B31608783BAE7B5AB2DC59876F7FD3BB46320F48444CE5C796559C63EA089CB10

Function 01092D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 01092D1B
GetDC.USER32(00000000), ref: 01092D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 01092D2E
ReleaseDC.USER32(00000000,00000000), ref: 01092D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 01092D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 01092D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,01095A65,?,?,000000FF,00000000,?,000000FF,?), ref: 01092DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 01092DE1

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 98dfb9c3d6b2a213972fd9d3c222c3eb468cfb489d1ebd3bc0cfa1e2f0a2c427
Instruction ID: b57981a43f1306eb718ddfb6a1cf5be8e8886ec1f141bf226565d8ae350734d1
Opcode Fuzzy Hash: 98dfb9c3d6b2a213972fd9d3c222c3eb468cfb489d1ebd3bc0cfa1e2f0a2c427
Instruction Fuzzy Hash: 13318D72201214BBFF218F548C9AFEB3FA9FB09711F044055FE889A281C6799840C7A4

Function 01065622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 01065637
_memcmp.LIBVCRUNTIME ref: 01065659
_memcmp.LIBVCRUNTIME ref: 01065671
_memcmp.LIBVCRUNTIME ref: 01065684
_memcmp.LIBVCRUNTIME ref: 0106569E
_memcmp.LIBVCRUNTIME ref: 010656B1
_memcmp.LIBVCRUNTIME ref: 010656C9
_memcmp.LIBVCRUNTIME ref: 010656E4

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 859b3fe81e4bfd76ec08ddbcb59660afc463c05d30f62c99181c56a2b366d9ad
Instruction ID: 608b0a42d386323b34c4ebdbe7c19804a893b6dd4c8a425b36e71fbaf2a2fa64
Opcode Fuzzy Hash: 859b3fe81e4bfd76ec08ddbcb59660afc463c05d30f62c99181c56a2b366d9ad
Instruction Fuzzy Hash: 992192B164021B7BE71456256E91FFA279DAE241D4F048024FDC4AB641F770ED20C5A5

Function 01084FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 0108502E, 01085383
Not an Object type, xrefs: 01085007

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 3d8b271448fcf01f64863b318af4a417fb78f97625e15a8c2e0d2df05bc8bc0c
Instruction ID: 52f1e2a898fd57d7b9e45a37869f9a69cb0c33ad0166d9017956f92770920410
Opcode Fuzzy Hash: 3d8b271448fcf01f64863b318af4a417fb78f97625e15a8c2e0d2df05bc8bc0c
Instruction Fuzzy Hash: 4BD19375A0420A9FDF10DF98CC80BAEBBF5BF48314F1484A9E995AB281E771D945CB50

Function 01041522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,010417FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 010415CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,010417FB,00000000,00000000,?,00000000,?,?,?,?), ref: 01041651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,010417FB,?,010417FB,00000000,00000000,?,00000000,?,?,?,?), ref: 010416E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,010417FB,00000000,00000000,?,00000000,?,?,?,?), ref: 010416FB

Part of subcall function 01033820: RtlAllocateHeap.NTDLL(00000000,?,010D1444,?,0101FDF5,?,?,0100A976,00000010,010D1440,010013FC,?,010013C6,?,01001129), ref: 01033852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,010417FB,00000000,00000000,?,00000000,?,?,?,?), ref: 01041777
__freea.LIBCMT ref: 010417A2
__freea.LIBCMT ref: 010417AE

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 2ddb51427cdd5360947c3be5a424c9fdf501931b165a9c6bc073357c1bfca617
Instruction ID: 9e296dbfa098af287964696746f11ed38b9f547eb515990a55186c6aace5e266
Opcode Fuzzy Hash: 2ddb51427cdd5360947c3be5a424c9fdf501931b165a9c6bc073357c1bfca617
Instruction Fuzzy Hash: 0791B9F1E002169BEB21CE78C9C1AEE7BF5AF49650F1845B9E985E7140D735E880CBA0

Function 01084523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 01084648
VariantInit.OLEAUT32(?), ref: 01084749
VariantClear.OLEAUT32(?), ref: 01084753
VariantClear.OLEAUT32(?), ref: 010847B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0108472C
Null Object assignment in FOR..IN loop, xrefs: 010845D8, 01084706, 010847BE

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 383e4f99aa74adad482e256591ece5e0c3dc13f3026e5dcda0f57446da04a80a
Instruction ID: 37af3c5af11ce50fa103a2762beed8e7c24741f740e878d0ff04609fcce96299
Opcode Fuzzy Hash: 383e4f99aa74adad482e256591ece5e0c3dc13f3026e5dcda0f57446da04a80a
Instruction Fuzzy Hash: FC917C71A0421AABDF20EFA5C884FAEBBB8FF45714F008559E585EB281D7709945CFA0

Function 01071187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0107125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 01071284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 010712A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 010712D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0107135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 010713C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 01071430

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 0d3c34b9d503752dbd3172c85640960a682283a02692315e302984ab3debf543
Instruction ID: 6d7ce98116e950f441f62950e81eadc7c875c1d0aa35f41a8c6a81302eeaaa3e
Opcode Fuzzy Hash: 0d3c34b9d503752dbd3172c85640960a682283a02692315e302984ab3debf543
Instruction Fuzzy Hash: 8A91C071E00209AFEB119F98C484BFE77B5FF45315F148069E990EB2D0DB79A941CB94

Function 0101948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 76a978adfeb6cc5817e51299dfa26f4126e8435aaf88b936dd9a6eb02f459870
Instruction ID: 20ad3e03dc967398d32b24b4e9f8b3dbd2612af091904ed6b86dca6271317b1f
Opcode Fuzzy Hash: 76a978adfeb6cc5817e51299dfa26f4126e8435aaf88b936dd9a6eb02f459870
Instruction Fuzzy Hash: 11916871D00219EFDB50CFA9C894AEEBFB8FF49324F148489E955B7255D338AA41CB60

Function 01083947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0108396B
CharUpperBuffW.USER32(?,?), ref: 01083A7A
_wcslen.LIBCMT ref: 01083A8A
VariantClear.OLEAUT32(?), ref: 01083C1F

Part of subcall function 01070CDF: VariantInit.OLEAUT32(00000000), ref: 01070D1F
Part of subcall function 01070CDF: VariantCopy.OLEAUT32(?,?), ref: 01070D28
Part of subcall function 01070CDF: VariantClear.OLEAUT32(?), ref: 01070D34

Strings

Incorrect Parameter format, xrefs: 010839A6, 01083BA1
AUTOIT.ERROR, xrefs: 01083A80, 01083A85

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: f625d3e847bde1121a30ccb50f1c51c08f19ed1b4b3c73c0e34ceca5fa73da6e
Instruction ID: 781798c67f35c0857787251bfbd805fca7bda193388b3357b04a4e838aab84b1
Opcode Fuzzy Hash: f625d3e847bde1121a30ccb50f1c51c08f19ed1b4b3c73c0e34ceca5fa73da6e
Instruction Fuzzy Hash: 52914875A083469FC704EF28C4809AABBE5FF98714F04886DF9C99B351DB31E945CB92

Function 01084BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0106000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0105FF41,80070057,?,?,?,0106035E), ref: 0106002B
Part of subcall function 0106000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0105FF41,80070057,?,?), ref: 01060046
Part of subcall function 0106000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0105FF41,80070057,?,?), ref: 01060054
Part of subcall function 0106000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0105FF41,80070057,?), ref: 01060064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 01084C51
_wcslen.LIBCMT ref: 01084D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 01084DCF
CoTaskMemFree.OLE32(?), ref: 01084DDA

Strings

NULL Pointer assignment, xrefs: 01084E23, 01084E52

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 0fa00d9cdb696614f6a75fdf747e4c6adf1bdb5c1723408c670def8976136078
Instruction ID: 52b4d14a0ea84df0d35e0a64e56aaa250fbc497e3ccc1ddb822526b1c7916bb4
Opcode Fuzzy Hash: 0fa00d9cdb696614f6a75fdf747e4c6adf1bdb5c1723408c670def8976136078
Instruction Fuzzy Hash: 92911A71D0421EDFEF15EFA4C890AEEBBB9BF18314F108169E995A7280DB705A44CF60

Function 010920FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 01092183
GetMenuItemCount.USER32(00000000), ref: 010921B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 010921DD
_wcslen.LIBCMT ref: 01092213
GetMenuItemID.USER32(?,?), ref: 0109224D
GetSubMenu.USER32(?,?), ref: 0109225B

Part of subcall function 01063A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 01063A57
Part of subcall function 01063A3D: GetCurrentThreadId.KERNEL32 ref: 01063A5E
Part of subcall function 01063A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,010625B3), ref: 01063A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 010922E3

Part of subcall function 0106E97B: Sleep.KERNEL32 ref: 0106E9F3

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: a13aa50df96c77fe547a37861c47fff7a84fdcc84a3586fde004bffb9a02e660
Instruction ID: 4c417088667f257729040cd00b30c1418c6fb2888d3440de979e9ac49f564deb
Opcode Fuzzy Hash: a13aa50df96c77fe547a37861c47fff7a84fdcc84a3586fde004bffb9a02e660
Instruction Fuzzy Hash: A1719D75E00206BFDF11EF68C850AAEBBF5FF58310F148499E996EB340DB35A9419B90

Function 01097E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00B94D50), ref: 01097F37
IsWindowEnabled.USER32(00B94D50), ref: 01097F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0109801E
SendMessageW.USER32(00B94D50,000000B0,?,?), ref: 01098051
IsDlgButtonChecked.USER32(?,?), ref: 01098089
GetWindowLongW.USER32(00B94D50,000000EC), ref: 010980AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 010980C3

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: d3053699e816be390fd079f7ae04b45e74ff3e5e4fee1ba0f02022c4c980a928
Instruction ID: 17885b2db320076858d91e1d984d2dfaeecfe74415927e65cb07a2805a3dc838
Opcode Fuzzy Hash: d3053699e816be390fd079f7ae04b45e74ff3e5e4fee1ba0f02022c4c980a928
Instruction Fuzzy Hash: 8F715D35604205AFEF619F58C8B4FAABBF5EF4A300F14449AF9D5A7251C732A844EF50

Function 0106AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0106AEF9
GetKeyboardState.USER32(?), ref: 0106AF0E
SetKeyboardState.USER32(?), ref: 0106AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0106AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0106AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0106AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0106B020

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 75d79d20d84ac7018529cecb1e91aaf1371a201e52fd38ac963bbeb3fe71bf64
Instruction ID: c6530c7460ea4b67a2f84f50a022cb628b87fb0e35c20dba4e7b8121284db49b
Opcode Fuzzy Hash: 75d79d20d84ac7018529cecb1e91aaf1371a201e52fd38ac963bbeb3fe71bf64
Instruction Fuzzy Hash: B351E2E0B043D67DFB3653388845BBA7EED6B06304F0884C9F2D5964C3C2A9A984D751

Function 0106ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0106AD19
GetKeyboardState.USER32(?), ref: 0106AD2E
SetKeyboardState.USER32(?), ref: 0106AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0106ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0106ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0106AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0106AE38

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: c0302783a23bd17f9fac27b7ca2b818db2465848d8a16495dfad815108f4698d
Instruction ID: e18b03ff4e0d5145d81588729670fdbabe4293aead31ae6b76033e7bf1eaadc0
Opcode Fuzzy Hash: c0302783a23bd17f9fac27b7ca2b818db2465848d8a16495dfad815108f4698d
Instruction Fuzzy Hash: 6051EBA1B047D57EFB37A2388C55B7A7EDC5B45300F0884C9E2D6674C3D2A4E984D750

Function 0103542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(01043CD6,?,?,?,?,?,?,?,?,01035BA3,?,?,01043CD6,?,?), ref: 01035470
__fassign.LIBCMT ref: 010354EB
__fassign.LIBCMT ref: 01035506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,01043CD6,00000005,00000000,00000000), ref: 0103552C
WriteFile.KERNEL32(?,01043CD6,00000000,01035BA3,00000000,?,?,?,?,?,?,?,?,?,01035BA3,?), ref: 0103554B
WriteFile.KERNEL32(?,?,00000001,01035BA3,00000000,?,?,?,?,?,?,?,?,?,01035BA3,?), ref: 01035584

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: bcb62267a4607fbb84a6ebaae41ef8797c2b7dd21ddb0fb6ceff3be17d671056
Instruction ID: 759434ad5b15825d3ed2482f83954a01ef0c4535bcd85b44aa0fedccf58a2103
Opcode Fuzzy Hash: bcb62267a4607fbb84a6ebaae41ef8797c2b7dd21ddb0fb6ceff3be17d671056
Instruction Fuzzy Hash: 9951B370A003499FDB11CFA8DC95AEEBBF9EF49300F14455AF995E7291D730AA41CB60

Function 01022D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 01022D4B
___except_validate_context_record.LIBVCRUNTIME ref: 01022D53
_ValidateLocalCookies.LIBCMT ref: 01022DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 01022E0C
_ValidateLocalCookies.LIBCMT ref: 01022E61

Strings

csm, xrefs: 01022DF6

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: fbd58800c272b012be80694d73c68548e63ec29d5896d2d4bdf11bc67e8caf20
Instruction ID: 5952bc66f78005ad8ea9d80f0b3c6539f27f526ebda2a93e98bb53367156ca5e
Opcode Fuzzy Hash: fbd58800c272b012be80694d73c68548e63ec29d5896d2d4bdf11bc67e8caf20
Instruction Fuzzy Hash: 69419F34E00229ABCF10EFA8C844AEEBFF5BF45324F148195E995AF351D7759A05CB90

Function 010810B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0108304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0108307A
Part of subcall function 0108304E: _wcslen.LIBCMT ref: 0108309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 01081112
WSAGetLastError.WSOCK32 ref: 01081121
WSAGetLastError.WSOCK32 ref: 010811C9
closesocket.WSOCK32(00000000), ref: 010811F9

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: d9be759b128aa3495bf8a62ee38725be49ab032830df9e1bd73b14f1f39cae60
Instruction ID: 2bfd453eddf0a442bdbbf517c7006367a0f46fe8286e9b31466559c2308d6b2c
Opcode Fuzzy Hash: d9be759b128aa3495bf8a62ee38725be49ab032830df9e1bd73b14f1f39cae60
Instruction Fuzzy Hash: 3441D631604205AFEB11AF18C884BAEBBE9FF45364F048199ECD59B285C775ED42CBE1

Function 0106CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0106DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0106CF22,?), ref: 0106DDFD

Part of subcall function 0106DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0106CF22,?), ref: 0106DE16

lstrcmpiW.KERNEL32(?,?), ref: 0106CF45
MoveFileW.KERNEL32(?,?), ref: 0106CF7F
_wcslen.LIBCMT ref: 0106D005
_wcslen.LIBCMT ref: 0106D01B
SHFileOperationW.SHELL32(?), ref: 0106D061

Strings

\*.*, xrefs: 0106CFF3

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 4b8eb9e792845660d63a5d91972cb5613ba31bc35e85440fa8e7a3e2cf0ea665
Instruction ID: a697a62587e1300033086155c098aa4ac5aff49b7f96e066d23135be498aff41
Opcode Fuzzy Hash: 4b8eb9e792845660d63a5d91972cb5613ba31bc35e85440fa8e7a3e2cf0ea665
Instruction Fuzzy Hash: 304126719452199FEF52EFA4DA91ADDB7FCAF18280F0000E6D5C9EB141EB35A788CB50

Function 01092DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 01092E1C
GetWindowLongW.USER32(?,000000F0), ref: 01092E4F
GetWindowLongW.USER32(?,000000F0), ref: 01092E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 01092EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 01092EE0
GetWindowLongW.USER32(?,000000F0), ref: 01092EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 01092F0B

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 2235ef182b5ec11c41852bec90cc7698a2f48d4a26574587bfacafca4b5af01a
Instruction ID: 82e44dee3a201bbb1879d557058b8ee480e7c2ed02a0cd263f2bb9ec0a7e48cb
Opcode Fuzzy Hash: 2235ef182b5ec11c41852bec90cc7698a2f48d4a26574587bfacafca4b5af01a
Instruction Fuzzy Hash: 22311335605240AFEF21CF18DDE4FA537E0FB8A710F1501A4FA808B2A6CB76A840EB50

Function 01067726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 01067769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0106778F
SysAllocString.OLEAUT32(00000000), ref: 01067792
SysAllocString.OLEAUT32(?), ref: 010677B0
SysFreeString.OLEAUT32(?), ref: 010677B9
StringFromGUID2.OLE32(?,?,00000028), ref: 010677DE
SysAllocString.OLEAUT32(?), ref: 010677EC

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 01c03c709cc1f817691ba7ce1568743c7f64dc44913f0170eb0ef6da7a7398df
Instruction ID: b79fd9dc4fe285ef99f4d2b1cd39cb7eda6a63816ebafaad1f39891c935edcbc
Opcode Fuzzy Hash: 01c03c709cc1f817691ba7ce1568743c7f64dc44913f0170eb0ef6da7a7398df
Instruction Fuzzy Hash: B221C176A00219AFEF10DEACCD88CBB77ECFB097687048065FA84DB154DA78DC418764

Function 010677FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 01067842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 01067868
SysAllocString.OLEAUT32(00000000), ref: 0106786B
SysAllocString.OLEAUT32 ref: 0106788C
SysFreeString.OLEAUT32 ref: 01067895
StringFromGUID2.OLE32(?,?,00000028), ref: 010678AF
SysAllocString.OLEAUT32(?), ref: 010678BD

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: c62c2927958dadd3ae5818ced7ae19ac0dc3d6493c85564d0642c8264a43a707
Instruction ID: b1cfbeb87f5b502148a7a211ff00c1c48bc5ac55475d78d308e449eade6d15fb
Opcode Fuzzy Hash: c62c2927958dadd3ae5818ced7ae19ac0dc3d6493c85564d0642c8264a43a707
Instruction Fuzzy Hash: 48219031A04205AFEB119FACDC88DAA77ECFB097647108125F995CB295DA74DC41CB74

Function 010705A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 010705C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 01070601

Strings

nul, xrefs: 01070639

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: d2d0b2369f6351ccea718f7d2f37c6fa98fec7477fcd2e11b89436898921a9f7
Instruction ID: b7c9e3a619254811029dc1b90cca48c83058c897486c8bfb7559891ecf580966
Opcode Fuzzy Hash: d2d0b2369f6351ccea718f7d2f37c6fa98fec7477fcd2e11b89436898921a9f7
Instruction Fuzzy Hash: 9621B275D003059BEB209F6DC854A9A7BE8BF8A724F300B59F9E1E72D8D7719540CB28

Function 010704D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 010704F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0107052E

Strings

nul, xrefs: 01070567

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 0c5b9a987f31401ff75c70f9de667d3ba9b2f5da09e9472d64a689ec21b8c2f2
Instruction ID: 53c99eee2ff0a9de752f8e4621018379a4d793dfa59aad7ed2a5e4622bad64ab
Opcode Fuzzy Hash: 0c5b9a987f31401ff75c70f9de667d3ba9b2f5da09e9472d64a689ec21b8c2f2
Instruction Fuzzy Hash: 2F216DB5E00305EBEB209F29D844A9B7BE4BF46724F204B59F9E1D62D8D7719540CB24

Function 010940AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0100600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0100604C
Part of subcall function 0100600E: GetStockObject.GDI32(00000011), ref: 01006060
Part of subcall function 0100600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0100606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 01094112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0109411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0109412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 01094139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 01094145

Strings

Msctls_Progress32, xrefs: 010940E3

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 433b7961b0ed23963f704a9b10cf05923dad6f5967076e507b172507ebf97f63
Instruction ID: c3cf3de1ae5e41df93d672596f628350e0fd7294d522f46aa5d24b417b8ed35e
Opcode Fuzzy Hash: 433b7961b0ed23963f704a9b10cf05923dad6f5967076e507b172507ebf97f63
Instruction Fuzzy Hash: 7111B6B214011D7EFF218F64CC85EE77F9DEF08798F004111BA58E6150C6769C21DBA4

Function 0103D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0103D7A3: _free.LIBCMT ref: 0103D7CC

_free.LIBCMT ref: 0103D82D

Part of subcall function 010329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0103D7D1,00000000,00000000,00000000,00000000,?,0103D7F8,00000000,00000007,00000000,?,0103DBF5,00000000), ref: 010329DE
Part of subcall function 010329C8: GetLastError.KERNEL32(00000000,?,0103D7D1,00000000,00000000,00000000,00000000,?,0103D7F8,00000000,00000007,00000000,?,0103DBF5,00000000,00000000), ref: 010329F0

_free.LIBCMT ref: 0103D838
_free.LIBCMT ref: 0103D843
_free.LIBCMT ref: 0103D897
_free.LIBCMT ref: 0103D8A2
_free.LIBCMT ref: 0103D8AD
_free.LIBCMT ref: 0103D8B8

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 453b1e715ce620723898d045a85e0165d7c834bd781358fd9ad6d044bb12a562
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 54116071940B55BAD622BFF0DC45FCF7BDCBFA0700F800826A6D9A6290EA75B5058760

Function 0106DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0106DA74
LoadStringW.USER32(00000000), ref: 0106DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0106DA91
LoadStringW.USER32(00000000), ref: 0106DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0106DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0106DAB9

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 036cb2a53cc23f19d3f4c498119d2f1ccf27928788d377d40481511e0be60002
Instruction ID: 61bd27d8d771368724ca9840a52035a0b867348fc9ed1562db8cda69f2086265
Opcode Fuzzy Hash: 036cb2a53cc23f19d3f4c498119d2f1ccf27928788d377d40481511e0be60002
Instruction Fuzzy Hash: 0C0162F29042087FFB20DBA49E89EEB776CFB08601F400496B786E2045EA759E844F74

Function 0107096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00B8EA20,00B8EA20), ref: 0107097B
EnterCriticalSection.KERNEL32(00B8EA00,00000000), ref: 0107098D
TerminateThread.KERNEL32(?,000001F6), ref: 0107099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 010709A9
CloseHandle.KERNEL32(?), ref: 010709B8
InterlockedExchange.KERNEL32(00B8EA20,000001F6), ref: 010709C8
LeaveCriticalSection.KERNEL32(00B8EA00), ref: 010709CF

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 7972cd80e30b8210a8839b55c72e6fd2612398e6c14d6f372c762b72c4f10ed9
Instruction ID: 1378a3362cfa55614baa47e567dacb8754b6799d568cd8a2f10ad1576d6f6c3b
Opcode Fuzzy Hash: 7972cd80e30b8210a8839b55c72e6fd2612398e6c14d6f372c762b72c4f10ed9
Instruction Fuzzy Hash: 0EF03131942902BBF7615FA4EF9DBD67B35FF01702F801155F24150898C77AA465CFA4

Function 01081C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 01081DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 01081DE1
WSAGetLastError.WSOCK32 ref: 01081DF2
htons.WSOCK32(?,?,?,?,?), ref: 01081EDB
inet_ntoa.WSOCK32(?), ref: 01081E8C

Part of subcall function 010639E8: _strlen.LIBCMT ref: 010639F2

Part of subcall function 01083224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0107EC0C), ref: 01083240

_strlen.LIBCMT ref: 01081F35

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: e0d4d482816b29d0a1f24b0b95fff2d8e31b2a5a5f867ccf16f6002596722393
Instruction ID: 93869c1550d6f2961004b150e3891c59af68b1a1669fe928a9d865ea506b6700
Opcode Fuzzy Hash: e0d4d482816b29d0a1f24b0b95fff2d8e31b2a5a5f867ccf16f6002596722393
Instruction Fuzzy Hash: CAB1D370608301AFD324EF24C894E6A7BE5AF94318F54858CF5DA5B2E2CB31ED46CB91

Function 01005D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 01005D30
GetWindowRect.USER32(?,?), ref: 01005D71
ScreenToClient.USER32(?,?), ref: 01005D99
GetClientRect.USER32(?,?), ref: 01005ED7
GetWindowRect.USER32(?,?), ref: 01005EF8

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 2fa3a7883860a0599381644cfb695f5c6e546224e676f8c63f49a8a00cf3c371
Instruction ID: 09937ee075f28cf2ce91dded215e4f977547fa2e942d7265865426ca3e1b5eb1
Opcode Fuzzy Hash: 2fa3a7883860a0599381644cfb695f5c6e546224e676f8c63f49a8a00cf3c371
Instruction Fuzzy Hash: 59B15B75A0068ADBEB15CFA9C8807EEBBF1FF48310F14841AE8E9D7290D734A951CB54

Function 010301B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 010300BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 010300D6
__allrem.LIBCMT ref: 010300ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0103010B
__allrem.LIBCMT ref: 01030122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01030140

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 4e70cb1f4fafff51f61fb06470ee276fe43b0bbaef62d83377f6c5890525ff02
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 83810572A017179BE760AE2DCC80BABB3FCAF91764F14412AF5D1D6680E770E9008B90

Function 010361FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,010282D9,010282D9,?,?,?,0103644F,00000001,00000001,8BE85006), ref: 01036258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0103644F,00000001,00000001,8BE85006,?,?,?), ref: 010362DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 010363D8
__freea.LIBCMT ref: 010363E5

Part of subcall function 01033820: RtlAllocateHeap.NTDLL(00000000,?,010D1444,?,0101FDF5,?,?,0100A976,00000010,010D1440,010013FC,?,010013C6,?,01001129), ref: 01033852

__freea.LIBCMT ref: 010363EE
__freea.LIBCMT ref: 01036413

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: d4facbf70787419fb9a0c58f3806bda46ea8980296133901c01f5d016710930a
Instruction ID: ab842b98f8e31ece0909c9408bbc16f44568183f49fa57bc10f7b95d19f5b7fd
Opcode Fuzzy Hash: d4facbf70787419fb9a0c58f3806bda46ea8980296133901c01f5d016710930a
Instruction Fuzzy Hash: 7151E372A00216BBEB258F68CC80EBF7BEEEB84650F158669FD85D6140DB36DD40C660

Function 0108BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 01009CB3: _wcslen.LIBCMT ref: 01009CBD

Part of subcall function 0108C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0108B6AE,?,?), ref: 0108C9B5
Part of subcall function 0108C998: _wcslen.LIBCMT ref: 0108C9F1
Part of subcall function 0108C998: _wcslen.LIBCMT ref: 0108CA68
Part of subcall function 0108C998: _wcslen.LIBCMT ref: 0108CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0108BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0108BD25
RegCloseKey.ADVAPI32(00000000), ref: 0108BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0108BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0108BDF3
RegCloseKey.ADVAPI32(?), ref: 0108BDFF

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 66243ee9a9717e0372f036ff701399036cfcca87978835dc3822c890f3b47edb
Instruction ID: b02712a55a7decd810d1d6734e9bb6fd011d77edca3410443c4844d0f4affd78
Opcode Fuzzy Hash: 66243ee9a9717e0372f036ff701399036cfcca87978835dc3822c890f3b47edb
Instruction Fuzzy Hash: F3814C71208242EFE715EF24C494E6ABBE5FF84308F14859CF5D94B2A1DB32E945CB92

Function 0105F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0105F7B9
SysAllocString.OLEAUT32(00000001), ref: 0105F860
VariantCopy.OLEAUT32(0105FA64,00000000), ref: 0105F889
VariantClear.OLEAUT32(0105FA64), ref: 0105F8AD
VariantCopy.OLEAUT32(0105FA64,00000000), ref: 0105F8B1
VariantClear.OLEAUT32(?), ref: 0105F8BB

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 903deb850d21a868f08da9cef4679e6c92f1ea5366cefb83ca2933c851845322
Instruction ID: 1167e41978f56e2dcec5056a018121649aabb6d3d3ee04021035aced7ed7cc1e
Opcode Fuzzy Hash: 903deb850d21a868f08da9cef4679e6c92f1ea5366cefb83ca2933c851845322
Instruction Fuzzy Hash: 1A510435A00313BADFA0AB65C894B7EB3E8EF55310F148446ED86DF285DB788880C796

Function 0107910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 01007620: _wcslen.LIBCMT ref: 01007625

Part of subcall function 01006B57: _wcslen.LIBCMT ref: 01006B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 010794E5
_wcslen.LIBCMT ref: 01079506
_wcslen.LIBCMT ref: 0107952D
GetSaveFileNameW.COMDLG32(00000058), ref: 01079585

Strings

X, xrefs: 01079412

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: fe19663d9baa293ff6edd68e0ac4f75677f30a18150b16af8ea82719b6375224
Instruction ID: a3e3a888aecbd65594e0ab3c1909c31d8feb48af889e6114447d8b8bc4591cfe
Opcode Fuzzy Hash: fe19663d9baa293ff6edd68e0ac4f75677f30a18150b16af8ea82719b6375224
Instruction Fuzzy Hash: 72E1A231A04351CFE725EF24C480AAEB7E4BF95328F04896DE9C99B291DB31DD05CB96

Function 0101920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 01019BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 01019BB2

BeginPaint.USER32(?,?,?), ref: 01019241
GetWindowRect.USER32(?,?), ref: 010192A5
ScreenToClient.USER32(?,?), ref: 010192C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 010192D3
EndPaint.USER32(?,?,?,?,?), ref: 01019321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 010571EA

Part of subcall function 01019339: BeginPath.GDI32(00000000), ref: 01019357

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 0047df221d0bcde20585a78dbc57cdac38126d4739a71406dbedb97d19c69032
Instruction ID: c0def431eab5ae11db3bc8048de96cea596bdca41d820dc6fcf7618aef60741a
Opcode Fuzzy Hash: 0047df221d0bcde20585a78dbc57cdac38126d4739a71406dbedb97d19c69032
Instruction Fuzzy Hash: 1C41AD70105301AFE721DF68C894FAA7BF9FB4A324F040269F9D4872E5CB3A9845DB61

Function 010707EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0107080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 01070847
EnterCriticalSection.KERNEL32(?), ref: 01070863
LeaveCriticalSection.KERNEL32(?), ref: 010708DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 010708F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 01070921

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 9769a29edaac0a5cdd329b98e3cba0cdacae7fc226b42f17db0b02a157cdb122
Instruction ID: b8a2f0a51ab77ad1fadf10e97eff86a3d7b5354d1d95e3122460a6caac6dafd0
Opcode Fuzzy Hash: 9769a29edaac0a5cdd329b98e3cba0cdacae7fc226b42f17db0b02a157cdb122
Instruction Fuzzy Hash: 0B417A71A00206EFEF15DF54D884AAA77B8FF05700F1480A5FD449A28ADB35EE64DBA4

Function 010981DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0105F3AB,00000000,?,?,00000000,?,0105682C,00000004,00000000,00000000), ref: 0109824C
EnableWindow.USER32(?,00000000), ref: 01098272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 010982D1
ShowWindow.USER32(?,00000004), ref: 010982E5
EnableWindow.USER32(?,00000001), ref: 0109830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0109832F

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: c1b0071c3f253878349705c5acff79b70d6edcf25d692a3304b11d6e91d11114
Instruction ID: f59a237b97653b9f2f903fe6f2bdf86dd26a65f48c8aabffc16a1f0eb1ce563d
Opcode Fuzzy Hash: c1b0071c3f253878349705c5acff79b70d6edcf25d692a3304b11d6e91d11114
Instruction Fuzzy Hash: 3C419734601648AFEF61CF19C5A9BE47BE0BB0B714F18C1E6EA984B367C7366441DB50

Function 010822DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 010822E8

Part of subcall function 0107E4EC: GetWindowRect.USER32(?,?), ref: 0107E504

GetDesktopWindow.USER32 ref: 01082312
GetWindowRect.USER32(00000000), ref: 01082319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 01082355
GetCursorPos.USER32(?), ref: 01082381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 010823DF

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 7c03581b954daae5785d2909e09efd980f9cb1a0bbc11bdfb70543bc5a094566
Instruction ID: e79d569c8a0bc1cf1eb7c2623967537acb68c029a60f7ef377f387f81f00218f
Opcode Fuzzy Hash: 7c03581b954daae5785d2909e09efd980f9cb1a0bbc11bdfb70543bc5a094566
Instruction Fuzzy Hash: B931C272509305AFD720EF58C844B9BBBE9FF88314F004A19F9C597181DB35E908CB92

Function 01064C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 01064C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 01064CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 01064CEA
_wcslen.LIBCMT ref: 01064D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 01064D10
_wcsstr.LIBVCRUNTIME ref: 01064D1A

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: b0b35f33aa8f6352bc3f90bb5665af7cef5639d07f7220b823781b0c7b62d420
Instruction ID: cb2556eab8d3cd830f2c555c41dfc5368ab55f5fdf1e0817081b0a250ffd9532
Opcode Fuzzy Hash: b0b35f33aa8f6352bc3f90bb5665af7cef5639d07f7220b823781b0c7b62d420
Instruction Fuzzy Hash: 2E212932A04205BBFB666B399C48E7F7BECDF59750F004069F885CA185DE75D84083A0

Function 0107581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 01003AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,01003A97,?,?,01002E7F,?,?,?,00000000), ref: 01003AC2

_wcslen.LIBCMT ref: 0107587B
CoInitialize.OLE32(00000000), ref: 01075995
CoCreateInstance.OLE32(0109FCF8,00000000,00000001,0109FB68,?), ref: 010759AE
CoUninitialize.OLE32 ref: 010759CC

Strings

.lnk, xrefs: 01075876, 010758C1, 01075985

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 91a6d9047b2c96c90689b4b217d4fa9217c2011ff4519cabd4e843d5ba575ce6
Instruction ID: 0391784d99626e00517081b686124700fd065c5543b2fec746a1d84674fff460
Opcode Fuzzy Hash: 91a6d9047b2c96c90689b4b217d4fa9217c2011ff4519cabd4e843d5ba575ce6
Instruction Fuzzy Hash: C4D13571A043019FD715DF18C880AAABBE5EF89714F14489DF8C99B3A1DB32ED45CB92

Function 0106175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 01060FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 01060FCA
Part of subcall function 01060FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 01060FD6
Part of subcall function 01060FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 01060FE5
Part of subcall function 01060FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 01060FEC
Part of subcall function 01060FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 01061002

GetLengthSid.ADVAPI32(?,00000000,01061335), ref: 010617AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 010617BA
HeapAlloc.KERNEL32(00000000), ref: 010617C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 010617DA
GetProcessHeap.KERNEL32(00000000,00000000,01061335), ref: 010617EE
HeapFree.KERNEL32(00000000), ref: 010617F5

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 6ecb7b779c642ebe53a2e01dd1a2a38366220617d1bebc8a77451333f8813676
Instruction ID: 3663192d36c55a7c24525d601ff86437894e93507fc2a93272ffb18c3b1660aa
Opcode Fuzzy Hash: 6ecb7b779c642ebe53a2e01dd1a2a38366220617d1bebc8a77451333f8813676
Instruction Fuzzy Hash: 4011AC71900205EFEB208FA8CD58BAE7BFDFB82255F104098F6C197200D73AAA40CB60

Function 010614CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 010614FF
OpenProcessToken.ADVAPI32(00000000), ref: 01061506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 01061515
CloseHandle.KERNEL32(00000004), ref: 01061520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0106154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 01061563

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 3e2a6a95262cdfe735e6062bdfdb9ca3548a3a3ef824290f8727d9b8deca828b
Instruction ID: 3ea0acad57bc730752744138259cee18b503e5e9fad23505cb0b44ef58eadf06
Opcode Fuzzy Hash: 3e2a6a95262cdfe735e6062bdfdb9ca3548a3a3ef824290f8727d9b8deca828b
Instruction Fuzzy Hash: B7112972501249ABEF218FA8EE49BDE7BADFF48744F044055FA45A2060C3768E60DB61

Function 01023382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,01023379,01022FE5), ref: 01023390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0102339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 010233B7
SetLastError.KERNEL32(00000000,?,01023379,01022FE5), ref: 01023409

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 003d4860266c40224a78ea98db386251d67cd991d479e770fc75fc51b5512f02
Instruction ID: 47efb82e90bc2039206a70e358c875b0997fa99c98e9b2618cfb588988ea8a60
Opcode Fuzzy Hash: 003d4860266c40224a78ea98db386251d67cd991d479e770fc75fc51b5512f02
Instruction Fuzzy Hash: 77014C336083326EB6392778BD885963AD8FB1E579330826AF5D0DC2E0EF1E48034644

Function 01032D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,01035686,01043CD6,?,00000000,?,01035B6A,?,?,?,?,?,0102E6D1,?,010C8A48), ref: 01032D78
_free.LIBCMT ref: 01032DAB
_free.LIBCMT ref: 01032DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0102E6D1,?,010C8A48,00000010,01004F4A,?,?,00000000,01043CD6), ref: 01032DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0102E6D1,?,010C8A48,00000010,01004F4A,?,?,00000000,01043CD6), ref: 01032DEC
_abort.LIBCMT ref: 01032DF2

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: a09553c832adfcb1414aa12b9b9b519b750677f81e7d3a654b1963fbf2455b9c
Instruction ID: bc3b7d7d4ce1098ca40b3da20f2b78e77c9d428356284ea8fa0954e8644956ee
Opcode Fuzzy Hash: a09553c832adfcb1414aa12b9b9b519b750677f81e7d3a654b1963fbf2455b9c
Instruction Fuzzy Hash: 2EF04C319056022BE273373DBC1CE9F299DBFC26A0F254019F9E8D61C4EF3984028220

Function 01098A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 01019639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 01019693
Part of subcall function 01019639: SelectObject.GDI32(?,00000000), ref: 010196A2
Part of subcall function 01019639: BeginPath.GDI32(?), ref: 010196B9
Part of subcall function 01019639: SelectObject.GDI32(?,00000000), ref: 010196E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 01098A4E
LineTo.GDI32(?,00000003,00000000), ref: 01098A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 01098A70
LineTo.GDI32(?,00000000,00000003), ref: 01098A80
EndPath.GDI32(?), ref: 01098A90
StrokePath.GDI32(?), ref: 01098AA0

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: a101bfaf094e13fca75026e383896ea8ac37efaa8480c62dc5a0d2ed0e589866
Instruction ID: 09d7c76780807d286c1f09967861503c5ad81544d3e2d0bf1e1e47d6a8460c0f
Opcode Fuzzy Hash: a101bfaf094e13fca75026e383896ea8ac37efaa8480c62dc5a0d2ed0e589866
Instruction Fuzzy Hash: AE115E7240010CBFEF119F94DC48E9A7F6CFB09350F008011FA4996164C7769D55DF60

Function 010651FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 01065218
GetDeviceCaps.GDI32(00000000,00000058), ref: 01065229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 01065230
ReleaseDC.USER32(00000000,00000000), ref: 01065238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0106524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 01065261

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 5de7665c38a0e42140fffdb2e520d6540f92e95ac83ae5ccea5b1339615d6c12
Instruction ID: 3c0233df75e348304f67a0aafa741486ab7a9c6ba975ccef54d5df4aa3f4a3e8
Opcode Fuzzy Hash: 5de7665c38a0e42140fffdb2e520d6540f92e95ac83ae5ccea5b1339615d6c12
Instruction Fuzzy Hash: 6A018F75E00709BBFB109BA59D49A4EBFB8FF49351F044065FA44A7284D6759800CBA0

Function 01001BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 01001BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 01001BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 01001C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 01001C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 01001C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 01001C22

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: e72df894e5996a118a8d11b50f6ebb9ef3a4cce7f635e4dcf2070f8c5ceacc0c
Instruction ID: 1090bf6eb3c56fc0d7ce060e9cb3e5e76bba5e9926c66e2ef49d61a464767efb
Opcode Fuzzy Hash: e72df894e5996a118a8d11b50f6ebb9ef3a4cce7f635e4dcf2070f8c5ceacc0c
Instruction Fuzzy Hash: 8A0167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C4BA42C7F5A864CBE5

Function 0106EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0106EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0106EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0106EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0106EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0106EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0106EB75

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: faf54349a52d0027f78c8ef47a5b1f148bd19a933e52c3f2ea9b04204d453661
Instruction ID: f39cb2176e1994dca1db0c98ac9ac90f0601222af65f386d3239daf2863cabfb
Opcode Fuzzy Hash: faf54349a52d0027f78c8ef47a5b1f148bd19a933e52c3f2ea9b04204d453661
Instruction Fuzzy Hash: 0EF01D72940158BBE63156529E1EEAB3A7CFBCAB11F004158F641D108496A66A0187B5

Function 01057439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 01057452
SendMessageW.USER32(?,00001328,00000000,?), ref: 01057469
GetWindowDC.USER32(?), ref: 01057475
GetPixel.GDI32(00000000,?,?), ref: 01057484
ReleaseDC.USER32(?,00000000), ref: 01057496
GetSysColor.USER32(00000005), ref: 010574B0

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 05890e82b32d46bd963d3f89f143419f73a79270c2dc8e964b405b802e64139e
Instruction ID: e7a5475e1d7de8034bf6d6f38fbdb4f81ad67b442e5a7ba8714eb5709a6abb1f
Opcode Fuzzy Hash: 05890e82b32d46bd963d3f89f143419f73a79270c2dc8e964b405b802e64139e
Instruction Fuzzy Hash: 9E018B31800205EFEBA15FA4DD08BAE7FB5FB08311F904060FD96A20A1CF361E41AF50

Function 01061874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0106187F
UnloadUserProfile.USERENV(?,?), ref: 0106188B
CloseHandle.KERNEL32(?), ref: 01061894
CloseHandle.KERNEL32(?), ref: 0106189C
GetProcessHeap.KERNEL32(00000000,?), ref: 010618A5
HeapFree.KERNEL32(00000000), ref: 010618AC

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 2b2f598e9166229288221829a62d3d581d3db7cdc3356b70ee7ce241e8bc2ff7
Instruction ID: c326af6d32e11d02f38ba6e05b6b5153f5fe53d6a6393f9600363c824d746b5e
Opcode Fuzzy Hash: 2b2f598e9166229288221829a62d3d581d3db7cdc3356b70ee7ce241e8bc2ff7
Instruction Fuzzy Hash: 3CE0E576804501BBEB115FA1EF1C90ABF39FF4AB22B108221F26581068CB379420DB64

Function 0106C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 01007620: _wcslen.LIBCMT ref: 01007625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0106C6EE
_wcslen.LIBCMT ref: 0106C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0106C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0106C7CA

Strings

0, xrefs: 0106C6AF

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: f56ab8a45152af87f6c356b823f15ac8bd7d6cb20d631e320a73ac56c0cad3a6
Instruction ID: b04ce58364253e3898f1e5e01fd5760dd7b6c005043b62c7a36ca0503f571bd3
Opcode Fuzzy Hash: f56ab8a45152af87f6c356b823f15ac8bd7d6cb20d631e320a73ac56c0cad3a6
Instruction Fuzzy Hash: 4251C0716043019BF7959E28CA84AAABBECBF49314F040A6DFAD6D3190DB78D904CB56

Function 0108AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0108AEA3

Part of subcall function 01007620: _wcslen.LIBCMT ref: 01007625

GetProcessId.KERNEL32(00000000), ref: 0108AF38
CloseHandle.KERNEL32(00000000), ref: 0108AF67

Strings

@, xrefs: 0108AE72
<, xrefs: 0108AE6B

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 8c55bc6341504d333eee4c33dedc6b85df6d1e5c693024c3fae4390f1a415ba1
Instruction ID: d263ba4ee5303759e3450ad9ecbeb3ea79d9f8a466098c1e9607a162f22d194d
Opcode Fuzzy Hash: 8c55bc6341504d333eee4c33dedc6b85df6d1e5c693024c3fae4390f1a415ba1
Instruction Fuzzy Hash: A9716970A04616DFDB15EF98C484A9EBBF0FF08314F04849AE896AB791CB75ED45CB90

Function 0106719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 01067206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0106723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0106724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 010672CF

Strings

DllGetClassObject, xrefs: 01067242

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 1d01a98b38db13916627ede88028c727fe3d35a73e798a0555de842e5db599fc
Instruction ID: cbc84e32cd9028721a9ac7260b793ec659d6f28ef0db36263ea2ba8db1434e86
Opcode Fuzzy Hash: 1d01a98b38db13916627ede88028c727fe3d35a73e798a0555de842e5db599fc
Instruction Fuzzy Hash: 1D415DB1A00206AFDB25CF54C884A9A7FADEF45718F1480ADFD459F20AD7B5D944CBA0

Function 01093D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01093E35
IsMenu.USER32(?), ref: 01093E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 01093E92
DrawMenuBar.USER32 ref: 01093EA5

Strings

0, xrefs: 01093D89

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: ecf92c29d60d111a796a0b8a9b02f05644231e7c8d50395ecc2b8848eed46b19
Instruction ID: b205d651825cad23ec5a4f2feed1d838aaa22aa2290e631e689dc99d0ae109d8
Opcode Fuzzy Hash: ecf92c29d60d111a796a0b8a9b02f05644231e7c8d50395ecc2b8848eed46b19
Instruction Fuzzy Hash: 55418774A01209EFEF20DF64D894EEABBF9FF48350F044069E981AB280D730A940DF60

Function 01061DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 01009CB3: _wcslen.LIBCMT ref: 01009CBD

Part of subcall function 01063CA7: GetClassNameW.USER32(?,?,000000FF), ref: 01063CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 01061E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 01061E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 01061EA9

Part of subcall function 01006B57: _wcslen.LIBCMT ref: 01006B6A

Strings

ListBox, xrefs: 01061E25
ComboBox, xrefs: 01061DF0

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 906ff5e6ee84f682fa4fc9b7876a8816b59a9a0b42dc1060e28a19d034421330
Instruction ID: 0b7a55022188764e27d212609eba3999ca17a8949b5409e8c6e623bfa7d11e74
Opcode Fuzzy Hash: 906ff5e6ee84f682fa4fc9b7876a8816b59a9a0b42dc1060e28a19d034421330
Instruction Fuzzy Hash: 36214472E00109BEEB14ABA4DC44CFFBBBDEF95364F004119F4A5A72D0DB3999098B60

Function 01092F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 01092F8D
LoadLibraryW.KERNEL32(?), ref: 01092F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 01092FA9
DestroyWindow.USER32(?), ref: 01092FB1

Strings

SysAnimate32, xrefs: 01092F68

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 83e8e4b33c682de5fcdd76e2faeed484d38ef44cfffa5666696a22f34152b032
Instruction ID: 9a7c0ced2314fc2fe1cf917e8716790838af7965e6fc21fae4ed82a1111a4613
Opcode Fuzzy Hash: 83e8e4b33c682de5fcdd76e2faeed484d38ef44cfffa5666696a22f34152b032
Instruction Fuzzy Hash: BD21AE72600209BBFF218E68DCB0EBB37E9EB49364F100668FAD4D6190D771DC51AB60

Function 01024D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,01024D1E,010328E9,?,01024CBE,010328E9,010C88B8,0000000C,01024E15,010328E9,00000002), ref: 01024D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 01024DA0
FreeLibrary.KERNEL32(00000000,?,?,?,01024D1E,010328E9,?,01024CBE,010328E9,010C88B8,0000000C,01024E15,010328E9,00000002,00000000), ref: 01024DC3

Strings

mscoree.dll, xrefs: 01024D86
CorExitProcess, xrefs: 01024D98

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: ba75e70706b135682c9e3d43105e3f86c874899af9606a57ef928eb0f1fee299
Instruction ID: 6358d7989ffb02a4deb3a31fd4db95038e4167b30ef2d00cd3cbc8007ca37e43
Opcode Fuzzy Hash: ba75e70706b135682c9e3d43105e3f86c874899af9606a57ef928eb0f1fee299
Instruction Fuzzy Hash: F4F0AF30A00218BBEB209F94D959BAEBFF4FF04711F4001A8F989A6254CB354A40CB90

Function 0105D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0105D3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0105D3BF
FreeLibrary.KERNEL32(00000000), ref: 0105D3E5

Strings

X64, xrefs: 0105D2A8
GetSystemWow64DirectoryW, xrefs: 0105D3B9

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: 48ad0bd8fe6c1da84b103c3e93773071a73af62b670ea12ee14c4599e714a621
Instruction ID: 259c71da51a9490b38e7540b70ca22fdaac0f5a756f019d5062a3b3c779b3fec
Opcode Fuzzy Hash: 48ad0bd8fe6c1da84b103c3e93773071a73af62b670ea12ee14c4599e714a621
Instruction Fuzzy Hash: 80F020B08026219BE7F257A4887892F3A60BF11B41B80C18BFCC2E2019DB34CA808B81

Function 01004E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,01004EDD,?,010D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 01004E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 01004EAE
FreeLibrary.KERNEL32(00000000,?,?,01004EDD,?,010D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 01004EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 01004EA8
kernel32.dll, xrefs: 01004E94

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 916392cc0ca80cf918f74405c42d0c180ae71324af7a5329d7c40bb4ba4059b9
Instruction ID: a8a13a524096262ad89f3698c729245e175af6a032c7894b2bc2afba52e18aed
Opcode Fuzzy Hash: 916392cc0ca80cf918f74405c42d0c180ae71324af7a5329d7c40bb4ba4059b9
Instruction Fuzzy Hash: C3E08635E065225BB27216297838A5F7994AF82F62F050159FE84D6144DB64CC0245E8

Function 01004E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,01043CDE,?,010D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 01004E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 01004E74
FreeLibrary.KERNEL32(00000000,?,?,01043CDE,?,010D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 01004E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 01004E6E
kernel32.dll, xrefs: 01004E5B

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 8d567760dc418c9447d2ac54537729f3254954b390300cb90c17749273f15417
Instruction ID: 2c3e64d67245736fc70c5b69be295377ecb136a0ce7ca70c7a6f7e7d4f056273
Opcode Fuzzy Hash: 8d567760dc418c9447d2ac54537729f3254954b390300cb90c17749273f15417
Instruction Fuzzy Hash: E7D0C231D06621577A331A297C38ECF3E58AF82F11705015DBB88E6148CF26CD0186D8

Function 01072947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 01072C05
DeleteFileW.KERNEL32(?), ref: 01072C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 01072C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 01072CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 01072CC0

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 893edaab75e358a9760038ab44320a5f085f30f762b5aef445b550171c5d3166
Instruction ID: 42eb8f96b7db42b5f3275b4e4961edd80e8584310b53de17e96b31c379169bc8
Opcode Fuzzy Hash: 893edaab75e358a9760038ab44320a5f085f30f762b5aef445b550171c5d3166
Instruction Fuzzy Hash: 81B12E71D0012EABDF21DFA4CC84EEEBBBDEF59350F0040A6F649E6144EA359A448F65

Function 0108A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0108A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0108A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0108A468
CloseHandle.KERNEL32(?), ref: 0108A63D

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 1b8eb6b9e548e289f07a08319b0582e9205333eaff83ef8b22deb7ab2e990da0
Instruction ID: 2fa35b7d6f4aca5b78bcaba9b87a5dede49933f0038cf96890e8aa219878f98d
Opcode Fuzzy Hash: 1b8eb6b9e548e289f07a08319b0582e9205333eaff83ef8b22deb7ab2e990da0
Instruction Fuzzy Hash: 1DA1C2B16043019FE720EF28C881F6AB7E1AF98714F14885DF5DA9B6D1DB71EC418B92

Function 0103BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,010A3700), ref: 0103BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,010D121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0103BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,010D1270,000000FF,?,0000003F,00000000,?), ref: 0103BC36
_free.LIBCMT ref: 0103BB7F

Part of subcall function 010329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0103D7D1,00000000,00000000,00000000,00000000,?,0103D7F8,00000000,00000007,00000000,?,0103DBF5,00000000), ref: 010329DE
Part of subcall function 010329C8: GetLastError.KERNEL32(00000000,?,0103D7D1,00000000,00000000,00000000,00000000,?,0103D7F8,00000000,00000007,00000000,?,0103DBF5,00000000,00000000), ref: 010329F0

_free.LIBCMT ref: 0103BD4B

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: c3a924189728f587b07c3cac698ae2d61d714ca7110085c0c8f81c622aa8c14c
Instruction ID: 0bdc73873cbe8a373254bc1e409eee5c4ce199dcc84a7497bc1aa856601dbae0
Opcode Fuzzy Hash: c3a924189728f587b07c3cac698ae2d61d714ca7110085c0c8f81c622aa8c14c
Instruction Fuzzy Hash: E551C971900219AFDB34EF69DC809BEBBBCEF85354B1042AAE5D4D7194EF719A408B50

Function 0106E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0106DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0106CF22,?), ref: 0106DDFD

Part of subcall function 0106DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0106CF22,?), ref: 0106DE16

Part of subcall function 0106E199: GetFileAttributesW.KERNEL32(?,0106CF95), ref: 0106E19A

lstrcmpiW.KERNEL32(?,?), ref: 0106E473
MoveFileW.KERNEL32(?,?), ref: 0106E4AC
_wcslen.LIBCMT ref: 0106E5EB
_wcslen.LIBCMT ref: 0106E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0106E650

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 5812b5fb67e7358850291c32c3a6afdaf3bb2dd4aa67e149961feda16b3c4ee4
Instruction ID: 2e8cfcda06009f113a3aaba3e945de32463fa3c5dbbccce008dea012b7ebfc29
Opcode Fuzzy Hash: 5812b5fb67e7358850291c32c3a6afdaf3bb2dd4aa67e149961feda16b3c4ee4
Instruction Fuzzy Hash: 675193B25083859FD764EBA4CC909DF77ECAF94244F00491EE6C9D3181EF74E288876A

Function 0108B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 01009CB3: _wcslen.LIBCMT ref: 01009CBD

Part of subcall function 0108C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0108B6AE,?,?), ref: 0108C9B5
Part of subcall function 0108C998: _wcslen.LIBCMT ref: 0108C9F1
Part of subcall function 0108C998: _wcslen.LIBCMT ref: 0108CA68
Part of subcall function 0108C998: _wcslen.LIBCMT ref: 0108CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0108BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0108BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0108BB63
RegCloseKey.ADVAPI32(?,?), ref: 0108BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0108BBB3

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: f00dede69342c1a530e7e8291a982094be049a91e0cdb6509f4023cb69cbaa18
Instruction ID: f83c971ccf0e1feb40336d7b51be4582966a66f9b93d40dfd50f02651e4d482b
Opcode Fuzzy Hash: f00dede69342c1a530e7e8291a982094be049a91e0cdb6509f4023cb69cbaa18
Instruction Fuzzy Hash: FF616E31208241AFE715EF14C494E6ABBE5FF84308F54859CF5D98B2A2DB31E945CB92

Function 01068BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 01068BCD
VariantClear.OLEAUT32 ref: 01068C3E
VariantClear.OLEAUT32 ref: 01068C9D
VariantClear.OLEAUT32(?), ref: 01068D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 01068D3B

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 203d8f7cc84afc1007b2bdd13a6b15ccae7616e14d8b037c9e3cf1cbc9119555
Instruction ID: 8969d3daa7bb0b36f56b4333433c7ac34e97690546b81489f36978c6baa04d23
Opcode Fuzzy Hash: 203d8f7cc84afc1007b2bdd13a6b15ccae7616e14d8b037c9e3cf1cbc9119555
Instruction Fuzzy Hash: 79515CB5A00219EFDB14DF58C894AAABBF8FF89310F05855AE945DB314E734E911CFA0

Function 01078AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 01078BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 01078BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 01078C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 01078C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 01078C5F

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 28d6cc18b90198045da284096ad4f7a09600efa99328287fb78ac7130e0f4666
Instruction ID: ce849c782d72a3c230670f3544518d4dacbf497ba366aae46db3d181d2616981
Opcode Fuzzy Hash: 28d6cc18b90198045da284096ad4f7a09600efa99328287fb78ac7130e0f4666
Instruction Fuzzy Hash: D9515D35A002199FDB11DF64C884AADBBF5FF48314F08C499E889AB3A1CB35ED41CB91

Function 01088EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 01088F40
GetProcAddress.KERNEL32(00000000,?), ref: 01088FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 01088FEC
GetProcAddress.KERNEL32(00000000,?), ref: 01089032
FreeLibrary.KERNEL32(00000000), ref: 01089052

Part of subcall function 0101F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,01071043,?,75C0E610), ref: 0101F6E6
Part of subcall function 0101F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0105FA64,00000000,00000000,?,?,01071043,?,75C0E610,?,0105FA64), ref: 0101F70D

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: e8d208d584289d86fb3ed887348b9b295c60763d628f8fadb7086991c21163b0
Instruction ID: ab4a1b530bea48e304beaf0eadbbba851e3da05b2f657009ca15285eba5a8232
Opcode Fuzzy Hash: e8d208d584289d86fb3ed887348b9b295c60763d628f8fadb7086991c21163b0
Instruction Fuzzy Hash: E0513934605205DFDB11EF58C4948ADBBF1FF59318B4480A9E98A9B362DB31ED86CF90

Function 01096B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 01096C33
SetWindowLongW.USER32(?,000000EC,?), ref: 01096C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 01096C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0107AB79,00000000,00000000), ref: 01096C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 01096CC7

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: d392b15800d878cb6a97e04ff8472d2fcf1450f0a4d86ea4dedfca299489b5d5
Instruction ID: 680a07bfebc8894e8d5757fc76d9af2d95c0f8a05140ab2ac2b6cac3781e0113
Opcode Fuzzy Hash: d392b15800d878cb6a97e04ff8472d2fcf1450f0a4d86ea4dedfca299489b5d5
Instruction Fuzzy Hash: DA41B175E04148AFEF24CE68C964FB97FA4EB09350F050268F999A7291D772AD40EA90

Function 01032051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 010320C3
_free.LIBCMT ref: 010320E3

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: aa4958165774f91c809cd7d4e1abae34f11f392a4f94007141fb262802cbae85
Instruction ID: 9c265b798f3cd2aaf74aa9967291d477b3af6442b64c32c9dfec1874ac1c2dc6
Opcode Fuzzy Hash: aa4958165774f91c809cd7d4e1abae34f11f392a4f94007141fb262802cbae85
Instruction Fuzzy Hash: 7B411736A002009FDB21DF78C980A9EB7FAEFC9710F1545A9E695EB356D731E901CB80

Function 0101912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 01019141
ScreenToClient.USER32(00000000,?), ref: 0101915E
GetAsyncKeyState.USER32(00000001), ref: 01019183
GetAsyncKeyState.USER32(00000002), ref: 0101919D

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 17f392c89ee016c05c3c254b624f3124a35ceb681f3c682f92aeac574c2b1e4e
Instruction ID: 4f498151a9699e65c67f3dbe10149a4631cc4518cf52eee40cd4b0e2b833ebde
Opcode Fuzzy Hash: 17f392c89ee016c05c3c254b624f3124a35ceb681f3c682f92aeac574c2b1e4e
Instruction Fuzzy Hash: 6B41047190420AFBDF559FA8C858BEEBBB1FF05324F104219E8A5A32D4C7346980CF91

Function 01073874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 010738CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 01073922
TranslateMessage.USER32(?), ref: 0107394B
DispatchMessageW.USER32(?), ref: 01073955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 01073966

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: c34a0623d367a853c897db503cba73318bd6675c31501b104d5cbca3685ce4e8
Instruction ID: 5fef40bc971f721a46501c1a5b177920e5894d57e5de35df72ba9493099f74e2
Opcode Fuzzy Hash: c34a0623d367a853c897db503cba73318bd6675c31501b104d5cbca3685ce4e8
Instruction Fuzzy Hash: 8F31E570D05342AEFB75CB38D449BB67BE8BB05300F0445ADD9E28A1C5EB7A9084EB25

Function 01061901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 01061915
PostMessageW.USER32(00000001,00000201,00000001), ref: 010619C1
Sleep.KERNEL32(00000000,?,?,?), ref: 010619C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 010619DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 010619E2

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 047e4127c7b37d81210b7cd4e12cf845b249cca87bd22c8bb2260aac5e3e303f
Instruction ID: d27476e6c8e832163c9e5fb8a173d96ebc1e3c069b116c026393d1b05b42c683
Opcode Fuzzy Hash: 047e4127c7b37d81210b7cd4e12cf845b249cca87bd22c8bb2260aac5e3e303f
Instruction Fuzzy Hash: 9131D171A00219EFDB10CFACC988ADE3BB9FB45315F004269F9A1E72C1C770A944CBA0

Function 01095706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 01095745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0109579D
_wcslen.LIBCMT ref: 010957AF
_wcslen.LIBCMT ref: 010957BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 01095816

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: a2f4f62273145f2f47cf236993869c5fd75bfa94011ef4ac52a05586e0399fb3
Instruction ID: d83e2236a5ad31decfe604c3d1125875a34f0c7ba74d2077f83e0b3859d0a302
Opcode Fuzzy Hash: a2f4f62273145f2f47cf236993869c5fd75bfa94011ef4ac52a05586e0399fb3
Instruction Fuzzy Hash: 5B21B971A042189AEF619FA5DC54AEEBBB8FF04724F008157EAA9EB180D7709685CF50

Function 01080930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 01080951
GetForegroundWindow.USER32 ref: 01080968
GetDC.USER32(00000000), ref: 010809A4
GetPixel.GDI32(00000000,?,00000003), ref: 010809B0
ReleaseDC.USER32(00000000,00000003), ref: 010809E8

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: ed0c344e6b89a2bd619fc42ef6ca72e1f8bc3fafe7c118843966256c7f95c0df
Instruction ID: f15799294a399d72a863fdbd6d597cd67f01caa1f647c1472fb38f7a3b4fec4d
Opcode Fuzzy Hash: ed0c344e6b89a2bd619fc42ef6ca72e1f8bc3fafe7c118843966256c7f95c0df
Instruction Fuzzy Hash: CC218175A00204AFE714EF69C994AAEBBE5FF58700F048468E8DA97390DA35AC44CB90

Function 0103CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0103CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0103CDE9

Part of subcall function 01033820: RtlAllocateHeap.NTDLL(00000000,?,010D1444,?,0101FDF5,?,?,0100A976,00000010,010D1440,010013FC,?,010013C6,?,01001129), ref: 01033852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0103CE0F
_free.LIBCMT ref: 0103CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0103CE31

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: ae6fd9f53bc06f5e4576bdaedf6e8a2b45cfacda223f844f1df0ffdec2d72e06
Instruction ID: 696c7839aeac63cf0b75b573f6b3076707b78d5c89935766fb1ad38caf447894
Opcode Fuzzy Hash: ae6fd9f53bc06f5e4576bdaedf6e8a2b45cfacda223f844f1df0ffdec2d72e06
Instruction Fuzzy Hash: 9A01AC72A022157F3331257A6D8CD7F7DADEEC7AA1315415BFE45E7104DA658D0182B0

Function 01019639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 01019693
SelectObject.GDI32(?,00000000), ref: 010196A2
BeginPath.GDI32(?), ref: 010196B9
SelectObject.GDI32(?,00000000), ref: 010196E2

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 3a9afea92e30a2ddf70e89505ffffcbd1d7f2bedb869b43ef20b329ecdced181
Instruction ID: 3d8ed2b37e9c1800937c4cb8ad6be49ef35e17b443f7af2dbf449fddf177ad16
Opcode Fuzzy Hash: 3a9afea92e30a2ddf70e89505ffffcbd1d7f2bedb869b43ef20b329ecdced181
Instruction Fuzzy Hash: 6A21B070803305EBEB21DF68E9147A9BBA8BB45369F000616F8D0A20DDC77E5491CBA4

Function 01065711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 01065726
_memcmp.LIBVCRUNTIME ref: 01065744
_memcmp.LIBVCRUNTIME ref: 01065757
_memcmp.LIBVCRUNTIME ref: 0106576F
_memcmp.LIBVCRUNTIME ref: 01065787

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 9016c34ab4119ac9c863dd3db70691934f16625e455ee84b89e62cd0352ffeb1
Instruction ID: 74f6860e183d60bcee2283a44325a3b9e28d0dadfb17710c1de0279e939732c9
Opcode Fuzzy Hash: 9016c34ab4119ac9c863dd3db70691934f16625e455ee84b89e62cd0352ffeb1
Instruction Fuzzy Hash: D701B5B164121ABBE7085515AE91FFB739DAB612E4F008024FDC4AE601F7B5ED2092E0

Function 01032DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0102F2DE,01033863,010D1444,?,0101FDF5,?,?,0100A976,00000010,010D1440,010013FC,?,010013C6), ref: 01032DFD
_free.LIBCMT ref: 01032E32
_free.LIBCMT ref: 01032E59
SetLastError.KERNEL32(00000000,01001129), ref: 01032E66
SetLastError.KERNEL32(00000000,01001129), ref: 01032E6F

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: a1654815ef169de1afb0a53722c471ed949622786ae82a29d0785cca63d8a9a8
Instruction ID: db15483cfe0cb5bbcdadcda3d8b587b8567d0b6f10c57f243b72700321ba5b01
Opcode Fuzzy Hash: a1654815ef169de1afb0a53722c471ed949622786ae82a29d0785cca63d8a9a8
Instruction Fuzzy Hash: BA014C366046016FE62376797D86DAF259DBFE13B17154029F9E5E31C5EF79C8014230

Function 0106000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0105FF41,80070057,?,?,?,0106035E), ref: 0106002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0105FF41,80070057,?,?), ref: 01060046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0105FF41,80070057,?,?), ref: 01060054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0105FF41,80070057,?), ref: 01060064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0105FF41,80070057,?,?), ref: 01060070

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 65ffc9baa61bd76e327e5f63115a8c9a02e2b0cc6202125cfd805005d386894d
Instruction ID: 2a6912de18200d186a58df1b3441242240aeba97733e64c26944039b578909cc
Opcode Fuzzy Hash: 65ffc9baa61bd76e327e5f63115a8c9a02e2b0cc6202125cfd805005d386894d
Instruction Fuzzy Hash: B101A272A40205BFFB204F68DD08BAA7EEDFF447A1F144124FA85D6218D776DD408BA0

Function 0106E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0106E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0106E9A5
Sleep.KERNEL32(00000000), ref: 0106E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0106E9B7
Sleep.KERNEL32 ref: 0106E9F3

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 78a445713764d270a1816691b8983bb4bb43a4f767aaae16946f52a965480279
Instruction ID: 187c07f5ceeb2d78dc945de506537a84cbb8e5ffd7eacd259824464ec325531d
Opcode Fuzzy Hash: 78a445713764d270a1816691b8983bb4bb43a4f767aaae16946f52a965480279
Instruction Fuzzy Hash: 95016975D0162DDBDF50EFE4D968AEDBBB8FF09700F000556E582B2244CB399550CBA5

Function 010610F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 01061114
GetLastError.KERNEL32(?,00000000,00000000,?,?,01060B9B,?,?,?), ref: 01061120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,01060B9B,?,?,?), ref: 0106112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,01060B9B,?,?,?), ref: 01061136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0106114D

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: b2689edbc7476387577c04b1fa8590608e2087276ff55c5d23e83a2e992cfc9b
Instruction ID: 2aa1b0ef9b6514183846b938ff09ec74054e3f8043ca628c930255e7ee2c980d
Opcode Fuzzy Hash: b2689edbc7476387577c04b1fa8590608e2087276ff55c5d23e83a2e992cfc9b
Instruction Fuzzy Hash: 4F016DB5500205BFEB214F68DD59A6A3FAEFFC5260B504455F981C7350DA36DC008B60

Function 01060FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 01060FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 01060FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 01060FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 01060FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 01061002

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 60ce8ec8362bd22524fc9e25ca2dcbf81ca50ed3500cd1f78eb8bbac85be8518
Instruction ID: 861efd5ec1158fb077eaa671e34c5e002e152a338d7dc7c3a796545669eb5010
Opcode Fuzzy Hash: 60ce8ec8362bd22524fc9e25ca2dcbf81ca50ed3500cd1f78eb8bbac85be8518
Instruction Fuzzy Hash: CCF04975600301ABEB214FA89E59F5A3BADFFCA662F604454FA85C6251CA76D8108B70

Function 01061014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0106102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 01061036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 01061045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0106104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 01061062

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 072498fa8a43d8ff88d356357d8118d267bb40af9cb2bcbabd5aaee117fee5da
Instruction ID: 72a228531df3ec85b370e86faa8bd1bc68609e44f93b24f9addc7bd279fa4ba6
Opcode Fuzzy Hash: 072498fa8a43d8ff88d356357d8118d267bb40af9cb2bcbabd5aaee117fee5da
Instruction Fuzzy Hash: FEF06275600311ABEB225FA8ED59F563FADFFCA661F100414FA85C7250CA75D9108B70

Function 0107030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0107017D,?,010732FC,?,00000001,01042592,?), ref: 01070324
CloseHandle.KERNEL32(?,?,?,?,0107017D,?,010732FC,?,00000001,01042592,?), ref: 01070331
CloseHandle.KERNEL32(?,?,?,?,0107017D,?,010732FC,?,00000001,01042592,?), ref: 0107033E
CloseHandle.KERNEL32(?,?,?,?,0107017D,?,010732FC,?,00000001,01042592,?), ref: 0107034B
CloseHandle.KERNEL32(?,?,?,?,0107017D,?,010732FC,?,00000001,01042592,?), ref: 01070358
CloseHandle.KERNEL32(?,?,?,?,0107017D,?,010732FC,?,00000001,01042592,?), ref: 01070365

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 24d8afa7d2ea1b893810d3316a201bdcb7cf125bb11ec4e7f2b1fe275d64aa9b
Instruction ID: 66fdbffd14c98ff88b1c0d0e26023581e04c77e0e19fbbb5bfa9d99059435f16
Opcode Fuzzy Hash: 24d8afa7d2ea1b893810d3316a201bdcb7cf125bb11ec4e7f2b1fe275d64aa9b
Instruction Fuzzy Hash: 10019072800B159FD7309F6AD890413FBF9BE51215315CA7EE29652931C371A954CF84

Function 0103D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0103D752

Part of subcall function 010329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0103D7D1,00000000,00000000,00000000,00000000,?,0103D7F8,00000000,00000007,00000000,?,0103DBF5,00000000), ref: 010329DE
Part of subcall function 010329C8: GetLastError.KERNEL32(00000000,?,0103D7D1,00000000,00000000,00000000,00000000,?,0103D7F8,00000000,00000007,00000000,?,0103DBF5,00000000,00000000), ref: 010329F0

_free.LIBCMT ref: 0103D764
_free.LIBCMT ref: 0103D776
_free.LIBCMT ref: 0103D788
_free.LIBCMT ref: 0103D79A

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b29327cf8489c00fc2ee241ffbee4f9f11ef7a32d6b1d4f5795792e21659027e
Instruction ID: 72d7dc43d57b07fe797ee95ba58d54f5b874ba9b07717f4af8afa01a8fa2f8b3
Opcode Fuzzy Hash: b29327cf8489c00fc2ee241ffbee4f9f11ef7a32d6b1d4f5795792e21659027e
Instruction Fuzzy Hash: 18F06232500255AFA662EBA8F6C5C5B7BDDBB842603D4088AF1C8D7504D735F8808B64

Function 01065C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 01065C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 01065C6F
MessageBeep.USER32(00000000), ref: 01065C87
KillTimer.USER32(?,0000040A), ref: 01065CA3
EndDialog.USER32(?,00000001), ref: 01065CBD

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: eeb26359e0ffc62eaae103e8a50911913219375468787584c101b80193eb7a2c
Instruction ID: 8a2fce0ead0cfd2235cfc7e8e4d22f4594f8bd53bd30e4fbeb9616104c824a7b
Opcode Fuzzy Hash: eeb26359e0ffc62eaae103e8a50911913219375468787584c101b80193eb7a2c
Instruction Fuzzy Hash: BF018630900708AFFB315B14DE5EFA67BBCBB04B45F040659A6C3A10D5DBF5A9848B90

Function 010322A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 010322BE

Part of subcall function 010329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0103D7D1,00000000,00000000,00000000,00000000,?,0103D7F8,00000000,00000007,00000000,?,0103DBF5,00000000), ref: 010329DE
Part of subcall function 010329C8: GetLastError.KERNEL32(00000000,?,0103D7D1,00000000,00000000,00000000,00000000,?,0103D7F8,00000000,00000007,00000000,?,0103DBF5,00000000,00000000), ref: 010329F0

_free.LIBCMT ref: 010322D0
_free.LIBCMT ref: 010322E3
_free.LIBCMT ref: 010322F4
_free.LIBCMT ref: 01032305

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ee6f0c62bb2aaf41f9c9dce9f7f78cc0f55fa7927530d474402181490f1d0bf3
Instruction ID: f9f320151fe5ff512bcc09d6f9f8222142d7d1b9ce73b306a3997a51e16aeb1b
Opcode Fuzzy Hash: ee6f0c62bb2aaf41f9c9dce9f7f78cc0f55fa7927530d474402181490f1d0bf3
Instruction Fuzzy Hash: B8F054B44021319B9622AF54F90085D3BA8F7687A0711058BF8D8D226CCB3B04129FE4

Function 010195C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 010195D4
StrokeAndFillPath.GDI32(?,?,010571F7,00000000,?,?,?), ref: 010195F0
SelectObject.GDI32(?,00000000), ref: 01019603
DeleteObject.GDI32 ref: 01019616
StrokePath.GDI32(?), ref: 01019631

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 1c1fba4c7d041dcdca1ebb53cc30120da94cf80334ee3a60c7d0ca2c56761f26
Instruction ID: 582ec5efddcb2591e11da8f967765830e9e961c19b3842d589ad28d03b378c5e
Opcode Fuzzy Hash: 1c1fba4c7d041dcdca1ebb53cc30120da94cf80334ee3a60c7d0ca2c56761f26
Instruction Fuzzy Hash: CFF03C30406204ABEB365F69EA1C7687FA1BB45326F048214F9E5550F8CB3E8591CF34

Function 01030F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 010310F9
__freea.LIBCMT ref: 01031117

Part of subcall function 01031537: _free.LIBCMT ref: 0103154F

Strings

am/pm, xrefs: 0103117A
a/p, xrefs: 010311DE

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: d1f34b221b092da84048b774b8e257e2f96f2a2a4fd81cb8e1d86a5018fa1d6b
Instruction ID: 398de35d49b7421fa907c7db60025fa3995aa99696c01953001d164a1a2c1de1
Opcode Fuzzy Hash: d1f34b221b092da84048b774b8e257e2f96f2a2a4fd81cb8e1d86a5018fa1d6b
Instruction Fuzzy Hash: EDD10571A00206DAEB658F6CC8457FEBBF9FF8E300F148199E6C19B690D3759941CB91

Function 01087B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 01020242: EnterCriticalSection.KERNEL32(010D070C,010D1884,?,?,0101198B,010D2518,?,?,?,010012F9,00000000), ref: 0102024D
Part of subcall function 01020242: LeaveCriticalSection.KERNEL32(010D070C,?,0101198B,010D2518,?,?,?,010012F9,00000000), ref: 0102028A

Part of subcall function 01009CB3: _wcslen.LIBCMT ref: 01009CBD

Part of subcall function 010200A3: __onexit.LIBCMT ref: 010200A9

__Init_thread_footer.LIBCMT ref: 01087BFB

Part of subcall function 010201F8: EnterCriticalSection.KERNEL32(010D070C,?,?,01018747,010D2514), ref: 01020202
Part of subcall function 010201F8: LeaveCriticalSection.KERNEL32(010D070C,?,01018747,010D2514), ref: 01020235

Strings

5, xrefs: 01087C78
Variable must be of type 'Object'., xrefs: 01087C3A
G, xrefs: 01087C7F

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: fec06af5cfcd1846ccaae97ed8475d22fcc10715ddc0b51e9e79f13a4cee3468
Instruction ID: b1a51cff28259e4f79d06834d4eac0fc35e1a74fd24b508cb9de81e5ef17904b
Opcode Fuzzy Hash: fec06af5cfcd1846ccaae97ed8475d22fcc10715ddc0b51e9e79f13a4cee3468
Instruction Fuzzy Hash: AA916C71A0420AEFDB15FF58D8909EDBBB1BF48304F208099E9C69B295DB71AE41CB51

Function 01062716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0106B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,010621D0,?,?,00000034,00000800,?,00000034), ref: 0106B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 01062760

Part of subcall function 0106B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,010621FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0106B3F8

Part of subcall function 0106B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0106B355
Part of subcall function 0106B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,01062194,00000034,?,?,00001004,00000000,00000000), ref: 0106B365
Part of subcall function 0106B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,01062194,00000034,?,?,00001004,00000000,00000000), ref: 0106B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 010627CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0106281A

Strings

@, xrefs: 01062832

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 8432786fbc49b96519384e86feeb58c63f6c8684a13352b3b372b2c1d4543541
Instruction ID: e759a7b0ad2ac265459e296e3ecab39ff0e94387bb7793e568f1a4c391f6285a
Opcode Fuzzy Hash: 8432786fbc49b96519384e86feeb58c63f6c8684a13352b3b372b2c1d4543541
Instruction Fuzzy Hash: 79412E72A00219AFDB10DFA4CD45FEEBBB8EF19700F108095EA95B7180DB716E45CBA1

Function 0103172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 01031769
_free.LIBCMT ref: 01031834
_free.LIBCMT ref: 0103183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 01031760, 01031767, 01031796, 010317CE

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-4010620828
Opcode ID: 54aa16365720aa26f2f687e9dc63f2789520f1997268ad685cc9a33b1f586def
Instruction ID: 89777e013fa14f346d8e772b48544cd5f65cbb4800e6381aa845a50fb7ec3e66
Opcode Fuzzy Hash: 54aa16365720aa26f2f687e9dc63f2789520f1997268ad685cc9a33b1f586def
Instruction Fuzzy Hash: B3318375A00219EFDB22DF99D884DAEBBFCFFD9350B1441A6E984D7200DA718A41CB94

Function 0106C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0106C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0106C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,010D1990,00B94AF8), ref: 0106C395

Strings

0, xrefs: 0106C2DF

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 235595c38dda6f336acaa210d232a1f05530971d9edc17cc413ad1f97d16826b
Instruction ID: b34dcc45262af5de4ee7823919358d5dc07ad5bfeff568d16cbee358308bc7b6
Opcode Fuzzy Hash: 235595c38dda6f336acaa210d232a1f05530971d9edc17cc413ad1f97d16826b
Instruction Fuzzy Hash: 1841A2712043129FE724DF29D944B5ABBE8AF95310F04865DF9E5972D1D730E604CB62

Function 01094416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0109CC08,00000000,?,?,?,?), ref: 010944AA
GetWindowLongW.USER32 ref: 010944C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 010944D7

Strings

SysTreeView32, xrefs: 0109447C

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: dddefc47ff4855dbed6c10c8d650fb36bfaafa2a9164f9baabaa1c4a844bb979
Instruction ID: 7622c90105897a47011908365655cd7e6b853104e70a0478eda2402b2231ec65
Opcode Fuzzy Hash: dddefc47ff4855dbed6c10c8d650fb36bfaafa2a9164f9baabaa1c4a844bb979
Instruction Fuzzy Hash: 9931DE31200206AFEF618E78DD54BEA7BA9EB08334F204719F9B9D21D1DB74E851AB50

Function 0108304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0108335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,01083077,?,?), ref: 01083378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0108307A
_wcslen.LIBCMT ref: 0108309B
htons.WSOCK32(00000000,?,?,00000000), ref: 01083106

Strings

255.255.255.255, xrefs: 01083095, 0108309A

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 265cebd7e8060711eb790bf99b11b165bc63f76ce0bddab00c56e496c1ed169c
Instruction ID: e9d149bc2e46bade63e9f017728bb697173954b5cc2dfd906c0ada0fc552f5e2
Opcode Fuzzy Hash: 265cebd7e8060711eb790bf99b11b165bc63f76ce0bddab00c56e496c1ed169c
Instruction Fuzzy Hash: 0331D4356082019FDB20EF2CC595AAA7BF0FF94B18F148199E5D58F392CB72D942CB60

Function 01093EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 01093F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 01093F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 01093F78

Strings

SysMonthCal32, xrefs: 01093F0B

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 68756072acaa551c2cf98ffb9427900b2c3333712e579515d2dcb437f9753792
Instruction ID: f64179b1fcf487a50742c95d45201d5ec8eadb4f9c32b0d68916c7f57f4bd60d
Opcode Fuzzy Hash: 68756072acaa551c2cf98ffb9427900b2c3333712e579515d2dcb437f9753792
Instruction Fuzzy Hash: 9A219F32600219BBEF22DE64CC56FEA3BB9FB48714F110254FA956B1C0D6B6A8509B90

Function 01094653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 01094705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 01094713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0109471A

Strings

msctls_updown32, xrefs: 01094684

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: f724f6eda4e52fb05b6a1dd92a26c3f1257f9ed62696525aea00832ca6b4237a
Instruction ID: bcf86b327faa3914e264c2a3ce8d8c86dbb069c18b80a2503eb92a5cefdb6c30
Opcode Fuzzy Hash: f724f6eda4e52fb05b6a1dd92a26c3f1257f9ed62696525aea00832ca6b4237a
Instruction Fuzzy Hash: 412190B5600209AFEB11DF68DCD0DBB77EDEB4A294B000059FA40DB251DB71EC12DB60

Function 010695AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0106961D

Strings

#notrayicon, xrefs: 010695B7
#requireadmin, xrefs: 010695D9
#OnAutoItStartRegister, xrefs: 010695F3

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: dc192602de7a747dd080d5573553edbbcd1ea5d11fa24eff7b2b8ef5eb5c651a
Instruction ID: f07741be11b539b474ef6359713d94b239619fdd417a02056f122381f0518daf
Opcode Fuzzy Hash: dc192602de7a747dd080d5573553edbbcd1ea5d11fa24eff7b2b8ef5eb5c651a
Instruction Fuzzy Hash: C1215B722043226AE731AB299C01FFB77DC9F69308F04402AFAC9DB441EBB5AD45C395

Function 010937B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 01093840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 01093850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 01093876

Strings

Listbox, xrefs: 0109380F

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: d2481258595b6ed5a392dc0fa87b11c767cccfd82c8f78e609a819b0a4e6983c
Instruction ID: 783273a3cd327dfea3e8c0271456361ef4d874a55073a0afd2ff4985325b06c5
Opcode Fuzzy Hash: d2481258595b6ed5a392dc0fa87b11c767cccfd82c8f78e609a819b0a4e6983c
Instruction Fuzzy Hash: 4121AF72600218BBEF228E68CC55EAB77AAFF89750F108154F9809F190C6729C519BA0

Function 010749F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 01074A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 01074A5C
SetErrorMode.KERNEL32(00000000,?,?,0109CC08), ref: 01074AD0

Strings

%lu, xrefs: 01074A6F

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 4f71aa96ff3bb9fb936f4aa34eecb93469f70c8486b80609b872f64551a699d6
Instruction ID: e94d17daaaa90cb4179a985e548b5b488d9abe330203b01070883ee24e6b5490
Opcode Fuzzy Hash: 4f71aa96ff3bb9fb936f4aa34eecb93469f70c8486b80609b872f64551a699d6
Instruction Fuzzy Hash: F8318F74A00109AFEB10DF54C980EAE7BF8EF08308F0480A9E989DB252D775EE45CB61

Function 010941EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0109424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 01094264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 01094271

Strings

msctls_trackbar32, xrefs: 01094226

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: eb12d41c8ec954cf3fc2b0efc6733b6f0b51b3e39f9cd2f1d6d39b498caaf22f
Instruction ID: 3b2106e287193c811c6b59707868aab4565c6bc0b5618acc48f9dd9e1d556274
Opcode Fuzzy Hash: eb12d41c8ec954cf3fc2b0efc6733b6f0b51b3e39f9cd2f1d6d39b498caaf22f
Instruction Fuzzy Hash: 7E11C672240248BEFF219F69CC05FAB3BACFF85B54F110524FA95E6190D672D8529B60

Function 01062F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 01006B57: _wcslen.LIBCMT ref: 01006B6A

Part of subcall function 01062DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 01062DC5
Part of subcall function 01062DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 01062DD6
Part of subcall function 01062DA7: GetCurrentThreadId.KERNEL32 ref: 01062DDD
Part of subcall function 01062DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 01062DE4

GetFocus.USER32 ref: 01062F78

Part of subcall function 01062DEE: GetParent.USER32(00000000), ref: 01062DF9

GetClassNameW.USER32(?,?,00000100), ref: 01062FC3
EnumChildWindows.USER32(?,0106303B), ref: 01062FEB

Strings

%s%d, xrefs: 01062FFF

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 8d860f3a9e346bbeebf4f868ca65fa44f89cde5a7f1fdc0ce7c37ea39b414c4a
Instruction ID: e81e2e51dcd4f26455c9ba8ade35b208f9264d8d797fcc94e67da6a786b96fa5
Opcode Fuzzy Hash: 8d860f3a9e346bbeebf4f868ca65fa44f89cde5a7f1fdc0ce7c37ea39b414c4a
Instruction Fuzzy Hash: 1111D2B56002066BEF117F648C94EEE376EAFA4304F044079E9899F145DE3199498BB0

Function 01095882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 010958C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 010958EE
DrawMenuBar.USER32(?), ref: 010958FD

Strings

0, xrefs: 0109588F

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: ee503aeeb3f3849abb378d1a393fd19efff9a0adaabeb1e57c1977b44de08b00
Instruction ID: 84b24df67c3cd7d6a0c92e76ced25503bdc5ddab1d0f1dcfe91329f86c874772
Opcode Fuzzy Hash: ee503aeeb3f3849abb378d1a393fd19efff9a0adaabeb1e57c1977b44de08b00
Instruction Fuzzy Hash: 25018431500219AFEF629F16DC54BEFBBB4FF45760F00809AE889D6141DB348A84EF21

Function 0106007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d5d435c28dfe543ae1b7086893b128996036dafab46e04cbb952f88ac9720ae
Instruction ID: 247fba7e035075f405c5578d31ca4c279426f85a9e2e6c86c352f589dec6316c
Opcode Fuzzy Hash: 3d5d435c28dfe543ae1b7086893b128996036dafab46e04cbb952f88ac9720ae
Instruction Fuzzy Hash: 7AC16A75A4021AEFDB14CFA8C894AAEBBB9FF48304F108598F545EB255D731EE41CB90

Function 01033E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 01033F0B
__alldvrm.LIBCMT ref: 0103410C
__alldvrm.LIBCMT ref: 0103412E

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 0de207d285097cf2cd9438132748631eede6d7b160f21a499b4bdb690cf58c40
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 24A12576A007869FE726CE28C8907AEFFE9EFA1350F1841ADE5C5DF281C2389941C750

Function 0108342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 01083459
CoUninitialize.OLE32 ref: 01083463
VariantInit.OLEAUT32(?), ref: 0108346E
VariantClear.OLEAUT32(?), ref: 0108371B

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: d1bd112adb4e5b42effbefb28dde5f955449c58c8516b302d3e63f23e4523a12
Instruction ID: 8dab12d3e61ff0fb8992478bbba5ec0cbf86d10a3d50cd2614f994d0ac0ba4a3
Opcode Fuzzy Hash: d1bd112adb4e5b42effbefb28dde5f955449c58c8516b302d3e63f23e4523a12
Instruction Fuzzy Hash: A3A179756042019FD711EF28C584A6ABBE4FF88714F048859F9CA9B3A1DB35ED40CB52

Function 01060436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0109FC08,?), ref: 010605F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0109FC08,?), ref: 01060608
CLSIDFromProgID.OLE32(?,?,00000000,0109CC40,000000FF,?,00000000,00000800,00000000,?,0109FC08,?), ref: 0106062D
_memcmp.LIBVCRUNTIME ref: 0106064E

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: e65c19a48bc9ab5d0154e3866ba35f485c443600c0bb121419fcef4b1495c481
Instruction ID: 807095eab52bc883cf510dff1da350b5baa1c738a0db7837441ea9a2e161c695
Opcode Fuzzy Hash: e65c19a48bc9ab5d0154e3866ba35f485c443600c0bb121419fcef4b1495c481
Instruction Fuzzy Hash: 6D812C71A00109EFDB04DF98C984DEEB7B9FF89315F204598F546AB254DB71AE06CB60

Function 0108A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0108A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0108A6BA

Part of subcall function 01009CB3: _wcslen.LIBCMT ref: 01009CBD

Process32NextW.KERNEL32(00000000,?), ref: 0108A79C
CloseHandle.KERNEL32(00000000), ref: 0108A7AB

Part of subcall function 0101CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,01043303,?), ref: 0101CE8A

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: d8fb0738d441d5909c42243d846065b22a8e48bdfd163c608a10d44a680a3cf2
Instruction ID: fbe755296c55bcbbd93744e7c45d4d7f7a790f26c21a9b5ff8cca6f2f786d6dd
Opcode Fuzzy Hash: d8fb0738d441d5909c42243d846065b22a8e48bdfd163c608a10d44a680a3cf2
Instruction Fuzzy Hash: E4517FB15083029FE311EF24C885AABBBE8FF99754F40891DF5C997291EB31D904CB92

Function 01041391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 010414C0

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 5349c906fa285f13d7368989f9b1c300694d0bf6874954d17d1d6a800ccea39a
Instruction ID: ab87b9c4545aeefa9f966d0e961cb410a1496931bfa8363acd8c2d3f77321399
Opcode Fuzzy Hash: 5349c906fa285f13d7368989f9b1c300694d0bf6874954d17d1d6a800ccea39a
Instruction Fuzzy Hash: BF413BB1A00112ABDB216BBC9CC4BEE3AF8EF92370F144275F4D9D6190EF74A48147A1

Function 01096278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 010962E2
ScreenToClient.USER32(?,?), ref: 01096315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 01096382

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: ef7578c622c228ab344e720d7570881f0831693c114944f3a999028a52f9ddea
Instruction ID: 7f3ce380fa7637be3342b2c4759e085b1ea2339e05e035642db3c65affa07fdc
Opcode Fuzzy Hash: ef7578c622c228ab344e720d7570881f0831693c114944f3a999028a52f9ddea
Instruction Fuzzy Hash: CB516A70A00209EFDF21CF68C8909AE7BF5FB45320F10C199F8959B291D732E981DB90

Function 01081AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 01081AFD
WSAGetLastError.WSOCK32 ref: 01081B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 01081B8A
WSAGetLastError.WSOCK32 ref: 01081B94

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 707c008502a88f4b0ded028855b2265bf18835d6661c121ba5c2afce1a961003
Instruction ID: dc22adcd68538cd9f82622e91cf1c9326940ed7d2e1147330d3b1ffd2cb7d29f
Opcode Fuzzy Hash: 707c008502a88f4b0ded028855b2265bf18835d6661c121ba5c2afce1a961003
Instruction Fuzzy Hash: D941E3746002016FF720AF24C885F6A77E5AF44718F548488F9DA8F3C2D776ED428B91

Function 0103B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6731c422eba475a3415a8563050eaecbb854f8f1b30615cc95b22d7adef3fd16
Instruction ID: c5f4d6f1cdc41b38fb46ef94a27c95fc7894ff7ce81986e059df1cb54cfa0d06
Opcode Fuzzy Hash: 6731c422eba475a3415a8563050eaecbb854f8f1b30615cc95b22d7adef3fd16
Instruction Fuzzy Hash: A9411476A00315BFD7259F7CCC40BAABBEDEFC8724F10856AE181DB280DB71A9418780

Function 010756D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 01075783
GetLastError.KERNEL32(?,00000000), ref: 010757A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 010757CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 010757FA

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 56460c1cde8e94f46911f20a33a2212fe1c95900c8599dbb3ae232398d2ce3e2
Instruction ID: 0bff2c5cc893860fbfbca66ecdf7bc2f2679563e803e6e2ba67b6f783bcee305
Opcode Fuzzy Hash: 56460c1cde8e94f46911f20a33a2212fe1c95900c8599dbb3ae232398d2ce3e2
Instruction Fuzzy Hash: 1C415D39600611DFDB12DF15C544A9EBBE1FF99321F188488E88AAB3A1CB75FD41CB91

Function 0103D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,01026D71,00000000,00000000,010282D9,?,010282D9,?,00000001,01026D71,8BE85006,00000001,010282D9,010282D9), ref: 0103D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0103D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0103D9AB
__freea.LIBCMT ref: 0103D9B4

Part of subcall function 01033820: RtlAllocateHeap.NTDLL(00000000,?,010D1444,?,0101FDF5,?,?,0100A976,00000010,010D1440,010013FC,?,010013C6,?,01001129), ref: 01033852

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 6987acc1abb66314192d99415cb884194a23b2b7c9e9977085296c060fd407e3
Instruction ID: 4aabf24b74c70ef405dfbcb541746e4e5fa5e51d7001fd888e7350c9f726f9e7
Opcode Fuzzy Hash: 6987acc1abb66314192d99415cb884194a23b2b7c9e9977085296c060fd407e3
Instruction Fuzzy Hash: D131C372A0021AABEF25DFA8DC40EEE7BAAEB85310F45416AFC84D7150E735DD50CB90

Function 0106AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0106AAAC
SetKeyboardState.USER32(00000080), ref: 0106AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0106AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0106AB88

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: ced76a4de76380e36a40c0bd40970a2d44513ec328ed8abb70e31766bf94ec9f
Instruction ID: d9d0fbd3b139901bd660b4bd40f8d10f9481172d34e45bfe7764ff4f546d64c9
Opcode Fuzzy Hash: ced76a4de76380e36a40c0bd40970a2d44513ec328ed8abb70e31766bf94ec9f
Instruction Fuzzy Hash: CB311830B40208EEFF35AA698814BFE7BEEAB45310F04565AE1C1671D2D3758981C7A1

Function 010952C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 01095352
GetWindowLongW.USER32(?,000000F0), ref: 01095375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 01095382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 010953A8

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 2b2135e06b132eb9384730b3217d462dca3dbf6cb893b541e731b0184724f738
Instruction ID: 2875a3c50f0eddff4510847db30a68de4e42763028cc75c81564260a4047f775
Opcode Fuzzy Hash: 2b2135e06b132eb9384730b3217d462dca3dbf6cb893b541e731b0184724f738
Instruction Fuzzy Hash: 1E31E334A55208EFFF728E5ACC35BE87BA1AB04310F48C143FBD0961D0C7B5A980AB42

Function 01097674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0109769A
GetWindowRect.USER32(?,?), ref: 01097710
PtInRect.USER32(?,?,01098B89), ref: 01097720
MessageBeep.USER32(00000000), ref: 0109778C

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 3ef0f73046f5629ec273a0322ca1ae8da50e1f08bae9bf6d6c04f307944eef0f
Instruction ID: 1d9662b31ba777c95fe040d6f5e896a4ec8024828723365d49023810226300e8
Opcode Fuzzy Hash: 3ef0f73046f5629ec273a0322ca1ae8da50e1f08bae9bf6d6c04f307944eef0f
Instruction Fuzzy Hash: C841AD36A11205EFDF12CF58C4A4EADFBF4FB89300F0440A8E9949B256C731A941DF90

Function 010916DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 010916EB

Part of subcall function 01063A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 01063A57
Part of subcall function 01063A3D: GetCurrentThreadId.KERNEL32 ref: 01063A5E
Part of subcall function 01063A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,010625B3), ref: 01063A65

GetCaretPos.USER32(?), ref: 010916FF
ClientToScreen.USER32(00000000,?), ref: 0109174C
GetForegroundWindow.USER32 ref: 01091752

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 111ce6bf59253e195c52756848f87d6fc365264e12fb18dca678be2bfd72626c
Instruction ID: 50f2fe144524ccbd6fb9f4aa310db7c2169daac1f82b70f4c1a32ce8e25be43e
Opcode Fuzzy Hash: 111ce6bf59253e195c52756848f87d6fc365264e12fb18dca678be2bfd72626c
Instruction Fuzzy Hash: 65315275E0010AAFEB01DFA9C980CEEFBF9FF58204B5080A9E455E7251DB359E45CBA1

Function 0106DF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 01007620: _wcslen.LIBCMT ref: 01007625

_wcslen.LIBCMT ref: 0106DFCB
_wcslen.LIBCMT ref: 0106DFE2
_wcslen.LIBCMT ref: 0106E00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0106E018

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: 3debea9bf7a555720dff232eb2a4443b7408aa73bcb3196aad0c3c71d0a3b955
Instruction ID: 2d210d02b987d662768a23614916d76ed2e835ed891d8ab5127b0d281b2b7956
Opcode Fuzzy Hash: 3debea9bf7a555720dff232eb2a4443b7408aa73bcb3196aad0c3c71d0a3b955
Instruction Fuzzy Hash: 3E21E575900215EFDB21DFA8D980BAEB7F8EF55710F1440A4E984FB245D7709E41CBA1

Function 01098FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 01019BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 01019BB2

GetCursorPos.USER32(?), ref: 01099001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,01057711,?,?,?,?,?), ref: 01099016
GetCursorPos.USER32(?), ref: 0109905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,01057711,?,?,?), ref: 01099094

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 0ca25ef5b42b71af16f4ede9038b2b4f4b8ee43e61d32ad85320c332749f48b7
Instruction ID: b34e54c9fc3eee6d2d78e492e320d9407d619a7f0708fe26d3572de5dc085429
Opcode Fuzzy Hash: 0ca25ef5b42b71af16f4ede9038b2b4f4b8ee43e61d32ad85320c332749f48b7
Instruction Fuzzy Hash: 4E21BF35600118FFEF258F99C868EEA7FF9FB89354F004099FA9547251C73699A0EB60

Function 0106D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0109CB68), ref: 0106D2FB
GetLastError.KERNEL32 ref: 0106D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0106D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0109CB68), ref: 0106D376

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: f1747037bdd3ba2e2033c0320dfdeb922d64742be742a954fc5f4800ff300a32
Instruction ID: 0648b94ca2c613c5aba400c7d2caec60753337361e11e68215d584261624f346
Opcode Fuzzy Hash: f1747037bdd3ba2e2033c0320dfdeb922d64742be742a954fc5f4800ff300a32
Instruction Fuzzy Hash: 7421B270A083129F9710DF68C5908AF7BE8FE55228F508A5DF4E9C72D1EB31DA45CB92

Function 01061571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 01061014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0106102A
Part of subcall function 01061014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 01061036
Part of subcall function 01061014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 01061045
Part of subcall function 01061014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0106104C
Part of subcall function 01061014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 01061062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 010615BE
_memcmp.LIBVCRUNTIME ref: 010615E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 01061617
HeapFree.KERNEL32(00000000), ref: 0106161E

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 11915df7754f660aba8844267623121d96d7031ecd4636b0343954693a17cdb2
Instruction ID: 8e3e746a96871c9bb3945bdc761a571532bdb1ddccff8ede3df3d637e9669510
Opcode Fuzzy Hash: 11915df7754f660aba8844267623121d96d7031ecd4636b0343954693a17cdb2
Instruction Fuzzy Hash: 73215E71E00109EFEB10DFA8C955BEEBBF8EF85354F184499E581A7240D775AA05CB60

Function 01092782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0109280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 01092824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 01092832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 01092840

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 3de519866e43a8b38ad3331c12528343fc78af0ecc8e1fc37c21bb25a4b771cd
Instruction ID: d3ed27615e18e172aaeeb79e9a1d704942363822a522bf94278441044f277193
Opcode Fuzzy Hash: 3de519866e43a8b38ad3331c12528343fc78af0ecc8e1fc37c21bb25a4b771cd
Instruction Fuzzy Hash: 40210331605111BFEB14DB24C864FAABB95BF45324F148198F4AA8B6E1CB76EC82C7D0

Function 0107CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0107CE89
GetLastError.KERNEL32(?,00000000), ref: 0107CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0107CEFE

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: bf4b93b55b041615d51617447a85580b430ee1a650f252b8eb12ffbca2b76f82
Instruction ID: 51aa4630ca0b705576f12c03d0c830263ca4ff59148e64c4133a9a435b7e976f
Opcode Fuzzy Hash: bf4b93b55b041615d51617447a85580b430ee1a650f252b8eb12ffbca2b76f82
Instruction Fuzzy Hash: 162190719007069BF770DF69CA48BAABBF8EB40354F10485EE6C692141E775EA448B68

Function 010678F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 01068D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0106790A,?,000000FF,?,01068754,00000000,?,0000001C,?,?), ref: 01068D8C
Part of subcall function 01068D7D: lstrcpyW.KERNEL32(00000000,?,?,0106790A,?,000000FF,?,01068754,00000000,?,0000001C,?,?,00000000), ref: 01068DB2
Part of subcall function 01068D7D: lstrcmpiW.KERNEL32(00000000,?,0106790A,?,000000FF,?,01068754,00000000,?,0000001C,?,?), ref: 01068DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,01068754,00000000,?,0000001C,?,?,00000000), ref: 01067923
lstrcpyW.KERNEL32(00000000,?,?,01068754,00000000,?,0000001C,?,?,00000000), ref: 01067949
lstrcmpiW.KERNEL32(00000002,cdecl,?,01068754,00000000,?,0000001C,?,?,00000000), ref: 01067984

Strings

cdecl, xrefs: 0106797B

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 7c4adfa106702de5d55132a08c6921cd7a0c83d4d739c9872e6fcfae8c0ef0d1
Instruction ID: 5fa98238e8c80618af028c2f088f49fe76ec38ca312c7022597e7522a70a42ee
Opcode Fuzzy Hash: 7c4adfa106702de5d55132a08c6921cd7a0c83d4d739c9872e6fcfae8c0ef0d1
Instruction Fuzzy Hash: DE11E93A200302ABDB255F39D844D7B77E9FF55754B50802AE986C7258EB369811C771

Function 01097CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 01097D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 01097D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 01097D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0107B7AD,00000000), ref: 01097D6B

Part of subcall function 01019BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 01019BB2

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 40dce177929b56863563ae8fa5ab757c16224eba2b946cb9314703127ba406d9
Instruction ID: 712cb041d67323ac1bed3f11be83f3bf46c103f17bdc3cf7a6c619885936e8c2
Opcode Fuzzy Hash: 40dce177929b56863563ae8fa5ab757c16224eba2b946cb9314703127ba406d9
Instruction Fuzzy Hash: ED11CD73622615AFDF20AE2CCC14AAA3BA4BB45360F114368F9B9C72E0D7358951DF90

Function 01095660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 010956BB
_wcslen.LIBCMT ref: 010956CD
_wcslen.LIBCMT ref: 010956D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 01095816

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: f7e3c88ada15ea106cc4328b8fd862d730a17e0a42744901462bc68c38c0d26a
Instruction ID: af59510046620d147a84f133e0aad935aca28ebdd6173dea2dbfc734b5fb013e
Opcode Fuzzy Hash: f7e3c88ada15ea106cc4328b8fd862d730a17e0a42744901462bc68c38c0d26a
Instruction Fuzzy Hash: A411D371A0021996EF21DF66DC94AEE7BACFF15664B004067FAD5D6081EB70D640DBA0

Function 01031D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5542244f09af747b6993c9e47ac29b80d9f6860fdd3ed396b18228dba82a12e8
Instruction ID: ae7fe1ee7e5439deb97611a0ccf954fa6631021f70b70ae7e3c06f3b03656eac
Opcode Fuzzy Hash: 5542244f09af747b6993c9e47ac29b80d9f6860fdd3ed396b18228dba82a12e8
Instruction Fuzzy Hash: 1401A2B26056163EF66139787CC4F6B6A5DEFCA2B8B300366F6A1911C5DB718C004260

Function 01061A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 01061A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 01061A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 01061A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 01061A8A

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 2adfa18beb47eac89f64ad361f2d8b57bfcb44a2b84b46dfb049cd6c60d8f0a4
Instruction ID: 1070ef601ae82a01ac2feedb9325498fdad49e2335ffdda41ccd0d42aba0f5be
Opcode Fuzzy Hash: 2adfa18beb47eac89f64ad361f2d8b57bfcb44a2b84b46dfb049cd6c60d8f0a4
Instruction Fuzzy Hash: 9B11093AD00219FFEB11DBA9C985FADBBB8FB48750F200491EA44B7290D6716E50DB94

Function 0106E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0106E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0106E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0106E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0106E24D

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 859c6bed2e78366bb9b9a297ad6a1f077c65c9ce6cf75f8ee424f2a652dcf29c
Instruction ID: 03113bcc5b71066667b7ceec05f67fd007b2cf18f9324f6f9916fbb74213a0ad
Opcode Fuzzy Hash: 859c6bed2e78366bb9b9a297ad6a1f077c65c9ce6cf75f8ee424f2a652dcf29c
Instruction Fuzzy Hash: 95112B76D04315BFD711DFACDD09A9E7FADBB45220F008255F994D3284DAB6CA048BA0

Function 0102D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0102CFF9,00000000,00000004,00000000), ref: 0102D218
GetLastError.KERNEL32 ref: 0102D224
__dosmaperr.LIBCMT ref: 0102D22B
ResumeThread.KERNEL32(00000000), ref: 0102D249

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: c505c7b13d5d1f94f34cd2ea1dd9769196637b53f4cc06c96d362864c54de880
Instruction ID: 4061fb80666aaaf77d2341734c7300c66bef65887b5b111ff38487370feb18db
Opcode Fuzzy Hash: c505c7b13d5d1f94f34cd2ea1dd9769196637b53f4cc06c96d362864c54de880
Instruction Fuzzy Hash: B901D236805225BBEB215BE9DC08BAE7AACEF93370F104259F9A5961D0CB718D05C7A0

Function 01099EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 01019BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 01019BB2

GetClientRect.USER32(?,?), ref: 01099F31
GetCursorPos.USER32(?), ref: 01099F3B
ScreenToClient.USER32(?,?), ref: 01099F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 01099F7A

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: c1245d0ebe4a874e59b4b95c0181be7f485818f38a30a54015f1ce9e132152b9
Instruction ID: 7044b32019521f645837bc6cf317cef69ff85edc1f8193156762e92b92c7bbcd
Opcode Fuzzy Hash: c1245d0ebe4a874e59b4b95c0181be7f485818f38a30a54015f1ce9e132152b9
Instruction Fuzzy Hash: D2115A3290061AEBDF10DFA8C9A59EEBBB8FB45315F400459F991E3140D735BA81DBA1

Function 0100600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0100604C
GetStockObject.GDI32(00000011), ref: 01006060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0100606A

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 895a32e51893e9ad5eb3e1e828237f6842484f4198122cd03b05b4eba901a598
Instruction ID: 5ac85d241e1575454cbdafb85ca74ef56fd007404f595cbf7d5ba8fa2d24761a
Opcode Fuzzy Hash: 895a32e51893e9ad5eb3e1e828237f6842484f4198122cd03b05b4eba901a598
Instruction Fuzzy Hash: 33115E72941549BFFF228F949C54AEBBBBAFF09354F040115FA9452150D737AC609BA0

Function 01023B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 01023B56

Part of subcall function 01023AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 01023AD2
Part of subcall function 01023AA3: ___AdjustPointer.LIBCMT ref: 01023AED

_UnwindNestedFrames.LIBCMT ref: 01023B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 01023B7C
CallCatchBlock.LIBVCRUNTIME ref: 01023BA4

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 816a699ff0094a3f9e693d467f5f6959f0f07d4928fea05763efea1f02425a01
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: F401D732100159BBDF125E99CC45DEB7FAEFF5D754F044054FE889A120C63AE861DBA0

Function 01033073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,010013C6,00000000,00000000,?,0103301A,010013C6,00000000,00000000,00000000,?,0103328B,00000006,FlsSetValue), ref: 010330A5
GetLastError.KERNEL32(?,0103301A,010013C6,00000000,00000000,00000000,?,0103328B,00000006,FlsSetValue,010A2290,FlsSetValue,00000000,00000364,?,01032E46), ref: 010330B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0103301A,010013C6,00000000,00000000,00000000,?,0103328B,00000006,FlsSetValue,010A2290,FlsSetValue,00000000), ref: 010330BF

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: fdd15c7372f271c90af9fe77588a4bc9bf2bbbdfce8bbf9e974ee8b9a56d5308
Instruction ID: 391902fd82336361986aa4dc3e6b5307fad11177a8980c0277a8eb1090d37364
Opcode Fuzzy Hash: fdd15c7372f271c90af9fe77588a4bc9bf2bbbdfce8bbf9e974ee8b9a56d5308
Instruction Fuzzy Hash: 6D01F732701622ABDB314ABCACE4A57BBDCBF85B61B100760F9C9EB141C726D401C7E0

Function 01067464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0106747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 01067497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 010674AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 010674CA

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: dab31fb4e2410289cc403297c92871d4cc4eb137055fec03567768990dbca320
Instruction ID: 533e9de6ac045dd1d5c8c14538bd9f8ce715ad8b8e129fae000534a08be6820a
Opcode Fuzzy Hash: dab31fb4e2410289cc403297c92871d4cc4eb137055fec03567768990dbca320
Instruction Fuzzy Hash: 0E111BB5601305ABF7308F54DA0DB967FFCFB40B08F108569A696D6181DBB5E904CBA1

Function 0106B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0106ACD3,?,00008000), ref: 0106B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0106ACD3,?,00008000), ref: 0106B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0106ACD3,?,00008000), ref: 0106B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0106ACD3,?,00008000), ref: 0106B126

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: f831c752b4816503239655dc928dbd3a485a6ace281deb14dfc76fb1ea127a58
Instruction ID: 0d8136ae990ce41ad8a1ddb7445c0cbcf6d06ab796bda279de9721b4bf7d050f
Opcode Fuzzy Hash: f831c752b4816503239655dc928dbd3a485a6ace281deb14dfc76fb1ea127a58
Instruction Fuzzy Hash: B3118BB0E0051CEBDF10AFE4E9986EEBFB8FF0A310F004086D9C1B6189CB3586908B55

Function 01097E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 01097E33
ScreenToClient.USER32(?,?), ref: 01097E4B
ScreenToClient.USER32(?,?), ref: 01097E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 01097E8A

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 401b274e80821876b3195d386b534df354b80ca7705ae032342b90a3dc2c5ca1
Instruction ID: 8064c41173857b9159f7766bef748e12654d2e7073d5651e2998636f7be8813a
Opcode Fuzzy Hash: 401b274e80821876b3195d386b534df354b80ca7705ae032342b90a3dc2c5ca1
Instruction Fuzzy Hash: 3B1142BAD0024AAFDB51CF98C584AEEBBF9FF08310F509066E955E3214D735AA54CF90

Function 01062DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 01062DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 01062DD6
GetCurrentThreadId.KERNEL32 ref: 01062DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 01062DE4

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: f540f31db44e1ec607d022d895d653ed89b446d1e41ae0ee3548dce21564c48e
Instruction ID: 040606003d22f26a4cc0f848806c37b965ff94d4f70ecb523e12a92afd01816c
Opcode Fuzzy Hash: f540f31db44e1ec607d022d895d653ed89b446d1e41ae0ee3548dce21564c48e
Instruction Fuzzy Hash: CFE06D719012247AEB302A669D0DEEB3E6CFF56BA1F400415B245D10809AAA9440C7F0

Function 01098863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 01019639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 01019693
Part of subcall function 01019639: SelectObject.GDI32(?,00000000), ref: 010196A2
Part of subcall function 01019639: BeginPath.GDI32(?), ref: 010196B9
Part of subcall function 01019639: SelectObject.GDI32(?,00000000), ref: 010196E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 01098887
LineTo.GDI32(?,?,?), ref: 01098894
EndPath.GDI32(?), ref: 010988A4
StrokePath.GDI32(?), ref: 010988B2

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: f47ab6a33f26c123631188bc65f5ceb18a8ba0b02764f9c81dc7c64f5bfe6a07
Instruction ID: 488509fa209f71de2854a62c6b4f5db429836a9163871518181f46649c4634ab
Opcode Fuzzy Hash: f47ab6a33f26c123631188bc65f5ceb18a8ba0b02764f9c81dc7c64f5bfe6a07
Instruction Fuzzy Hash: 4EF09A36042218BAEB222E94AD19FCA3E59AF06310F008000FA81650D5C77A0111DBB9

Function 010198B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 010198CC
SetTextColor.GDI32(?,?), ref: 010198D6
SetBkMode.GDI32(?,00000001), ref: 010198E9
GetStockObject.GDI32(00000005), ref: 010198F1

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 77eb54ce85ae3e7564814ea21fb671bb335830a85c73468804e02e35ec9340d1
Instruction ID: 48646e6eb763c3209c87a05a479a2c4f58dba9b1c8218408616ff51dc49f23fb
Opcode Fuzzy Hash: 77eb54ce85ae3e7564814ea21fb671bb335830a85c73468804e02e35ec9340d1
Instruction Fuzzy Hash: CAE06D31644280ABEB715B78A929BE93F61BB02336F08825AFBFA580D5C77642409B10

Function 0106162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 01061634
OpenThreadToken.ADVAPI32(00000000,?,?,?,010611D9), ref: 0106163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,010611D9), ref: 01061648
OpenProcessToken.ADVAPI32(00000000,?,?,?,010611D9), ref: 0106164F

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 56a54d1a4d7c86513d7ede895ba94b9e7d3c1fb6bd2a5716b2627d3f31770a27
Instruction ID: dde9888b2c394da5fab4389e480267497535df1285afa9c0ef1771c4c33632ac
Opcode Fuzzy Hash: 56a54d1a4d7c86513d7ede895ba94b9e7d3c1fb6bd2a5716b2627d3f31770a27
Instruction Fuzzy Hash: 95E08635A01211ABE7701FA49F1DB463BBDBF85791F148848F2C5C9084D6394440C760

Function 0105D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0105D858
GetDC.USER32(00000000), ref: 0105D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0105D882
ReleaseDC.USER32(?), ref: 0105D8A3

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 188449f7bce0680b27e3683572ffbd0d1841eaf211eae8c2512f488a4e12d004
Instruction ID: 1a8d37143df9f6769d8c1546a7c1d4a53d58d32e776ade9a4e01e83af23313d3
Opcode Fuzzy Hash: 188449f7bce0680b27e3683572ffbd0d1841eaf211eae8c2512f488a4e12d004
Instruction Fuzzy Hash: E2E075B5C00205DFEB519FA0961866DBBB5FB48311F148459F88AA7244CB3AA9419F91

Function 0105D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0105D86C
GetDC.USER32(00000000), ref: 0105D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0105D882
ReleaseDC.USER32(?), ref: 0105D8A3

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 21211fa57114257f81af9dfd536814f1c3232bec4c83206ee885e3d1ee23cb94
Instruction ID: 18b822163243342aec6f26f7fd3bb009a536a9491feb2961e6c3dbbfaa3c852c
Opcode Fuzzy Hash: 21211fa57114257f81af9dfd536814f1c3232bec4c83206ee885e3d1ee23cb94
Instruction Fuzzy Hash: CDE09AB5C00205DFEF619FA0D61C66DBBB5BB48311F148449F98AE7244CB3E69019F91

Function 01074D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 01007620: _wcslen.LIBCMT ref: 01007625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 01074ED4

Strings

*, xrefs: 01074E10
LPT, xrefs: 01074DFB

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 37f4fb7efb8f2ef026ff0ef53e1a9b215daf1a58c67db601d8271601f1f89bfd
Instruction ID: 16acce6f559fe9c29932f18bd8a28b90e197bfaca7c89b446c347557e2169ec9
Opcode Fuzzy Hash: 37f4fb7efb8f2ef026ff0ef53e1a9b215daf1a58c67db601d8271601f1f89bfd
Instruction Fuzzy Hash: D0919075E002059FDB15DF58C484EAABBF1AF48304F1880D9E88A9F3A2C735ED85CB95

Function 0102E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0102E30D

Strings

pow, xrefs: 0102E2E5, 0102E302

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 510ddd76674f1e5a60eb433b5a55e7c8598776ab4a2a38c01d573c660d73b5e1
Instruction ID: 73a4fb323e29bf2320e27e3a848d52e33bcf57ef5da8d1f468d736cd59609e85
Opcode Fuzzy Hash: 510ddd76674f1e5a60eb433b5a55e7c8598776ab4a2a38c01d573c660d73b5e1
Instruction Fuzzy Hash: 92516FB1A4450296DB66771CC9043BD3FECEB80741F6489E8D4D6422DDDF3988D58B46

Function 0101E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0101E1B1

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: c3d6d8c0f013cc1bf0b2715f41dc2977471b64741b30a83f6eafaa021f6e3358
Instruction ID: 16e90a73deb787e12cd7e9a47bf93d3e8cb7a1ef0189ad9d71ffbd01c297637b
Opcode Fuzzy Hash: c3d6d8c0f013cc1bf0b2715f41dc2977471b64741b30a83f6eafaa021f6e3358
Instruction Fuzzy Hash: 2151017590425ADFEB96DF28C090AFEBBE5FF15310F244095EDD19B2C1D6389A42CBA0

Function 0101F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0101F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0101F2BB

Strings

@, xrefs: 0101F2AF

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 22443546c727c03a8176a908c961faec2775320e33092cabcc63bd171734ca5d
Instruction ID: ce75d62e32c2cd5bb498aebbb9f16b058ecac15ad2317373dbe73cfe26debc62
Opcode Fuzzy Hash: 22443546c727c03a8176a908c961faec2775320e33092cabcc63bd171734ca5d
Instruction Fuzzy Hash: 9F5186724187459BE321AF10E885BAFBBF8FF94300F81894CF1D941098EB759529CB67

Function 01085745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 010857E0
_wcslen.LIBCMT ref: 010857EC

Strings

CALLARGARRAY, xrefs: 010857E6, 010857EB

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 3c2c32b7f4c304b578f3f03d56f4d3b5d1f15926ec98bea0d0984e5bde595e9c
Instruction ID: d57b47ded51743d3fbc0fc3178ede6f344d7edf3214ddc747cb8b41199340f0e
Opcode Fuzzy Hash: 3c2c32b7f4c304b578f3f03d56f4d3b5d1f15926ec98bea0d0984e5bde595e9c
Instruction Fuzzy Hash: F4419071E1410ADFCB14EFA8C8809EEBBF5FF58314F50406AE585A7291EB349981CB90

Function 0107D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0107D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0107D13A

Strings

|, xrefs: 0107D10B

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 107b6d231b74fd79c12ed3aec3211dc2c1b3b662650fb5336963fc02fc133ccf
Instruction ID: 019853c21726572ace2003f0522b5ba218a5d5bd35bb68b588f93b0b51b2bd17
Opcode Fuzzy Hash: 107b6d231b74fd79c12ed3aec3211dc2c1b3b662650fb5336963fc02fc133ccf
Instruction Fuzzy Hash: 8B315271D0021AABDF15EFE4DC84EEE7FBAFF14300F000059E955A6165D731AA56CB64

Function 0109356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 01093621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0109365C

Strings

static, xrefs: 010935BC

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 05e012f5e6cf1f6d74a6e524155935361b38d1b19b0877fb2269a3f5fdb04e22
Instruction ID: b969eaf3323a8230e3ba7bce28922b32aed6d45972bbe868b80ea94faf41d087
Opcode Fuzzy Hash: 05e012f5e6cf1f6d74a6e524155935361b38d1b19b0877fb2269a3f5fdb04e22
Instruction Fuzzy Hash: B3318F71100204AAEB21DF38D850EFB73A9FF48724F008619F9E5D7280DA35A891DB60

Function 01094537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 0109461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 01094634

Strings

', xrefs: 0109458E

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 60641aeee5083015d1e89d178a2e5e48a8fbdcfc053f3d77e70c302c9e5e19a2
Instruction ID: e21c0c05829d9445c3f0a587b6f515f706292058435a93e721f8a86db8717e1c
Opcode Fuzzy Hash: 60641aeee5083015d1e89d178a2e5e48a8fbdcfc053f3d77e70c302c9e5e19a2
Instruction Fuzzy Hash: 243119B4A012099FDF14CFA9CA90BDA7BB5FB09300F104169E945DB342D771A942DF90

Function 010931EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0109327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 01093287

Strings

Combobox, xrefs: 01093249

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 2f14041a8d1c433a0eb202144b7bacd475b5c4e9dfa91e9f1bfb510545db4aef
Instruction ID: 8e6b8de86608c6de7561f2855c7743c63ee4aa6ad92e9f59fe8df9df07730cba
Opcode Fuzzy Hash: 2f14041a8d1c433a0eb202144b7bacd475b5c4e9dfa91e9f1bfb510545db4aef
Instruction Fuzzy Hash: 1B11E6713002087FFF669E68DC90EBB37ABFB48364F104169F9949B291D6319C50DB60

Function 01093710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0100600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0100604C
Part of subcall function 0100600E: GetStockObject.GDI32(00000011), ref: 01006060
Part of subcall function 0100600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0100606A

GetWindowRect.USER32(00000000,?), ref: 0109377A
GetSysColor.USER32(00000012), ref: 01093794

Strings

static, xrefs: 01093757

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 310b86f44c0518450035f4253218660e66d7663af2c74ef1ccb194a37b12c80d
Instruction ID: 7624b535b60a5095bab73e8012a679ca6c15b6adeb09635b00574f58c3b739da
Opcode Fuzzy Hash: 310b86f44c0518450035f4253218660e66d7663af2c74ef1ccb194a37b12c80d
Instruction Fuzzy Hash: EE11297261020AAFEF11DFB8C945AEEBBF8FB08314F004915F995E6240D735E8509B50

Function 0107CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0107CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0107CDA6

Strings

<local>, xrefs: 0107CD66

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: e350544201c5be6e428678bd29bd6eb1b61a6bbb6a664bd8496b68e0e9e03cc7
Instruction ID: 2a0b92e8a34ec83c2f09b677dd2f22aa7bdb19add33f0e2857f39b12cb8509cb
Opcode Fuzzy Hash: e350544201c5be6e428678bd29bd6eb1b61a6bbb6a664bd8496b68e0e9e03cc7
Instruction Fuzzy Hash: 54110671A01632BAE7745A668D44EEBBFACEF027A4F00421AB18983180D3749C40C6F4

Function 01093429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 010934AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 010934BA

Strings

edit, xrefs: 0109348F

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 46330ab0002dcbb0c590d35512b49255458c8cd460cc88c9f50f1322aa942bac
Instruction ID: ba970b016ede5be304f675964d3570051efd147e6c27957bfb0c648f6150f5ec
Opcode Fuzzy Hash: 46330ab0002dcbb0c590d35512b49255458c8cd460cc88c9f50f1322aa942bac
Instruction Fuzzy Hash: F411B275500108ABFF628E78DC64AEB37AAFB05374F514324F9A19B1D4CB36EC51AB50

Function 01066C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 01009CB3: _wcslen.LIBCMT ref: 01009CBD

CharUpperBuffW.USER32(?,?,?), ref: 01066CB6
_wcslen.LIBCMT ref: 01066CC2

Strings

STOP, xrefs: 01066CBC, 01066CC1

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: d6776000671754a799f22df687ad38fd0cef8864f730586f019af3174f47c892
Instruction ID: 739697dbb828d1120de480c107068d3e97bb7f679a5682bc193b44b92ec67e2a
Opcode Fuzzy Hash: d6776000671754a799f22df687ad38fd0cef8864f730586f019af3174f47c892
Instruction Fuzzy Hash: BB01C432E0092B8ADB22AFBDDC809BF77E9EE65624B400568D9A297195EB33D540C650

Function 01061CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 01009CB3: _wcslen.LIBCMT ref: 01009CBD

Part of subcall function 01063CA7: GetClassNameW.USER32(?,?,000000FF), ref: 01063CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 01061D4C

Strings

ListBox, xrefs: 01061D16
ComboBox, xrefs: 01061CEB

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 2a6d69b817cdf0597e56ec8d3214d79cfee61188d9ba010dd485d6a7bde4a0ac
Instruction ID: 91cbb1fe8b44a6de75cf8e5ec1fab0dff7562de20973b468c7083fa51b05d752
Opcode Fuzzy Hash: 2a6d69b817cdf0597e56ec8d3214d79cfee61188d9ba010dd485d6a7bde4a0ac
Instruction Fuzzy Hash: 61012875A00219AB9B04FBA4CC10CFF77ACFBA6354F000509E8E65B3C0EA3055088BA0

Function 01061BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 01009CB3: _wcslen.LIBCMT ref: 01009CBD

Part of subcall function 01063CA7: GetClassNameW.USER32(?,?,000000FF), ref: 01063CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 01061C46

Strings

ListBox, xrefs: 01061C10
ComboBox, xrefs: 01061BE5

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 401296de825318281f9686c6e13dd0979fabd61e0de71189f31555ea6a523ef0
Instruction ID: de8de7fda9b0a29d0b0a47625bb4a482f4399c31c7dfbba889dc510f8bb1e1d7
Opcode Fuzzy Hash: 401296de825318281f9686c6e13dd0979fabd61e0de71189f31555ea6a523ef0
Instruction Fuzzy Hash: 8101F775B4010D66EB05EB90CE51DFF77EC9B61250F000019A58A672C5EA30AA1887B1

Function 01061C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 01009CB3: _wcslen.LIBCMT ref: 01009CBD

Part of subcall function 01063CA7: GetClassNameW.USER32(?,?,000000FF), ref: 01063CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 01061CC8

Strings

ListBox, xrefs: 01061C94
ComboBox, xrefs: 01061C69

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 524fcfffc1094dce3fa421e94435abd49e9987fa7c734e6088c774051afedb04
Instruction ID: 8964ffb65184a06d58928fc252b74366cf50a090403be37091e96b998c694ef5
Opcode Fuzzy Hash: 524fcfffc1094dce3fa421e94435abd49e9987fa7c734e6088c774051afedb04
Instruction Fuzzy Hash: 3601F2B5B0010D66EB05EBA5CA00EFF77ECAF61250F000029A98A67285EA309B08C7B1

Function 01061D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 01009CB3: _wcslen.LIBCMT ref: 01009CBD

Part of subcall function 01063CA7: GetClassNameW.USER32(?,?,000000FF), ref: 01063CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 01061DD3

Strings

ListBox, xrefs: 01061DA0
ComboBox, xrefs: 01061D75

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 7dbcab334ae5898ab6fa2c6d065c5f0180a0ad321fa30b853a76d7034b42e63f
Instruction ID: eff41a60ae254f491a6506451b039f5af9dcf7407d87f6cf65bd3ebe6fe03ab3
Opcode Fuzzy Hash: 7dbcab334ae5898ab6fa2c6d065c5f0180a0ad321fa30b853a76d7034b42e63f
Instruction Fuzzy Hash: 0FF0F471F4021966EB04F7A5CC51EFF77ACAF61254F040919A9E6672C5DA70650887A0

Function 0108747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 01087493
_wcslen.LIBCMT ref: 010874B9

Strings

3, 3, 16, 1, xrefs: 01087483

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: bd1004981087ea0c403a63650213ea8756117f092ffab23f4b49b4ec651bcf4a
Instruction ID: 0cb316a1f12e84520e5b5fe0fe93cece251ba5573b6c286ec67748df64d77580
Opcode Fuzzy Hash: bd1004981087ea0c403a63650213ea8756117f092ffab23f4b49b4ec651bcf4a
Instruction Fuzzy Hash: 53E02B02305231109271327E9CC0ABF7ACDCFD5560734282BEAC5C226DEFD4CD9193A0

Function 01060B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 01060B23

Strings

Error allocating memory., xrefs: 01060B1C
AutoIt, xrefs: 01060B17

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: daf273f1fb6ba13f7703d03d331003d852559c4ee1ab564b23149a10a355a5a0
Instruction ID: c8654c1efaf08366ac40c32aa8d37d065a65d63dda6e9fdbb9c6f3f97e4ddd4b
Opcode Fuzzy Hash: daf273f1fb6ba13f7703d03d331003d852559c4ee1ab564b23149a10a355a5a0
Instruction Fuzzy Hash: 53E0D83128831A36F61437557D02FC97AC49F15F10F10445EF7D8994C28AD2245056A9

Function 01020D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0101F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,01020D71,?,?,?,0100100A), ref: 0101F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0100100A), ref: 01020D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0100100A), ref: 01020D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 01020D7F

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 8a37865b7babe31e6b1d1842939574ad00b994e6704d6f3df347997859a430a1
Instruction ID: 8f4c52028e1c5e60a2809976c8fd356515e86cf12a8f1f8e180ae0bb6c1d2a24
Opcode Fuzzy Hash: 8a37865b7babe31e6b1d1842939574ad00b994e6704d6f3df347997859a430a1
Instruction Fuzzy Hash: 2FE065702013128BE770AF78E11838A7BE0BB00B44F00895DF8C6C6649DBBAE4488BA1

Function 01073017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0107302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 01073044

Strings

aut, xrefs: 01073038

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 344e1cf81dbc858a55d95e59467bf624c250a1714e30b5e21faef3dd226d3ae7
Instruction ID: 48f813251d35f1437ecb4e51775ac49c7b3b9f113e37ce6af5a88ccb097ad2f6
Opcode Fuzzy Hash: 344e1cf81dbc858a55d95e59467bf624c250a1714e30b5e21faef3dd226d3ae7
Instruction Fuzzy Hash: 51D05B7190031477DA3097959D0DFCB3A6CD704650F0001917695D6095DAB59544CFD0

Function 0105D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0105D220

Strings

X64, xrefs: 0105D2A8
%.3d, xrefs: 0105D22B

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 4103823c1ed8f434d7699c9a332561814499d02c4223d22ba6d00df79000e07b
Instruction ID: 9bc891ff768f3b73a3aaaa6a404237fe99da266e2bc7c35b162b68e4e7939109
Opcode Fuzzy Hash: 4103823c1ed8f434d7699c9a332561814499d02c4223d22ba6d00df79000e07b
Instruction Fuzzy Hash: A7D01271C08109E9CBD097D08C499BFB37CFB28291F408457FD8691004D628D5488B61

Function 01092322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0109232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0109233F

Part of subcall function 0106E97B: Sleep.KERNEL32 ref: 0106E9F3

Strings

Shell_TrayWnd, xrefs: 01092325

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 729c640225eb5df6efccad34f6b1d49f70f92210b8c03d7f5c80fea6627b6b28
Instruction ID: b6748e546a0d35ea6556d90563300f07a0472e7124e9ffa719c3b9f2abe17189
Opcode Fuzzy Hash: 729c640225eb5df6efccad34f6b1d49f70f92210b8c03d7f5c80fea6627b6b28
Instruction Fuzzy Hash: 9AD0A936790300B6E674A330DC1EFCA7A28AF00B00F000A1A7285AA2C8C8B5A8008B50

Function 01092356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0109236C
PostMessageW.USER32(00000000), ref: 01092373

Part of subcall function 0106E97B: Sleep.KERNEL32 ref: 0106E9F3

Strings

Shell_TrayWnd, xrefs: 01092365

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 3fdca06ea285ae56207ae726e4d91fb2a690b549475a51490f711d84641c2941
Instruction ID: 76887d7c9144e14ee5ef58967a4724bcf99cd47f0528fb819e1cbd204475f9f7
Opcode Fuzzy Hash: 3fdca06ea285ae56207ae726e4d91fb2a690b549475a51490f711d84641c2941
Instruction Fuzzy Hash: 31D0A9327803007AF674A330DC0EFCA7628AB04B00F000A1A7281AA2C8C8B5A8008B54

Function 0103BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0103BE93
GetLastError.KERNEL32 ref: 0103BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0103BEFC

Memory Dump Source

Source File: 00000000.00000002.1317535151.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1317514321.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.000000000109C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317616699.00000000010C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317675659.00000000010CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1317698735.00000000010D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 50a5fde5c9d7b00d27224f1255feecbdc942819ccdf75b2101bf91e5ec4fcbb8
Instruction ID: 81204e787cfbfa391152e5e2f919aae3fd847117b5649d10ed85ec66a9ceef53
Opcode Fuzzy Hash: 50a5fde5c9d7b00d27224f1255feecbdc942819ccdf75b2101bf91e5ec4fcbb8
Instruction Fuzzy Hash: BC41E734604216AFDF328F6CC854ABA7BEDEF82314F145199F9D99B1A1DB328900CB60

Analysis Process: firefox.exePID: 8040, Parent PID: 8048COMMON

Execution Graph

Execution Coverage:	0.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	100%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0000020C64728D77 Relevance: 8.4, APIs: 1, Instructions: 6852nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 0000020C64728D9C

Memory Dump Source

Source File: 00000018.00000002.2513273727.0000020C64725000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000020C64725000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_20c64725000_firefox.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: a3d4a310f25344abd1978f5247c9d082b9ccbb3eaa73dfa71153365510a96fee
Instruction ID: 64db8917d173f920664981dad0367e8e3533265ea15b1e2675c9094648c51951
Opcode Fuzzy Hash: a3d4a310f25344abd1978f5247c9d082b9ccbb3eaa73dfa71153365510a96fee
Instruction Fuzzy Hash: BCA3D471618B498BDB3DDF28D8856AA73D9FB95300F14432ED94BC3256DF31EA42CA81

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 151.101.129.91 151.101.129.91
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 00000013.00000003.1442841362.0000025B01DFD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000013.00000003.1440718396.0000025AF4C1A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000013.00000003.1498514172.0000025AF4F26000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1446696657.0000025B0225D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000013.00000003.1497972901.0000025AF4FCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000013.00000003.1498514172.0000025AF4F26000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1489680595.0000025AF54FA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1446696657.0000025B0225D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 00000013.00000003.1497972901.0000025AF4FCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000013.00000003.1499264640.0000025AF4DDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000013.00000003.1499264640.0000025AF4DDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000013.00000003.1348840959.0000025AF5E7A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1495169379.0000025AF5E7A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000013.00000003.1348840959.0000025AF5E7A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1495169379.0000025AF5E7A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000013.00000003.1348840959.0000025AF5E7A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1495169379.0000025AF5E7A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000013.00000003.1348840959.0000025AF5E7A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1495169379.0000025AF5E7A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000013.00000003.1348840959.0000025AF5E7A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1495169379.0000025AF5E7A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000013.00000003.1348840959.0000025AF5E7A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1495169379.0000025AF5E7A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000013.00000003.1348840959.0000025AF5E7A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1495169379.0000025AF5E7A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000013.00000003.1348840959.0000025AF5E7A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1495169379.0000025AF5E7A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000013.00000003.1348840959.0000025AF5E7A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1495169379.0000025AF5E7A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000013.00000003.1348840959.0000025AF5E7A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1495169379.0000025AF5E7A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000013.00000003.1348840959.0000025AF5E7A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1495169379.0000025AF5E7A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000013.00000003.1348840959.0000025AF5E7A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1495169379.0000025AF5E7A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000013.00000003.1348840959.0000025AF5E7A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1495169379.0000025AF5E7A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000013.00000003.1348840959.0000025AF5E7A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1495169379.0000025AF5E7A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000013.00000003.1348840959.0000025AF5E7A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1495169379.0000025AF5E7A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000013.00000003.1348840959.0000025AF5E7A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1495169379.0000025AF5E7A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000013.00000003.1348840959.0000025AF5E7A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1495169379.0000025AF5E7A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.facebook.com (Facebook)
Source: firefox.exe, 00000013.00000003.1348840959.0000025AF5E7A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1495169379.0000025AF5E7A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.twitter.com (Twitter)
Source: firefox.exe, 00000013.00000003.1348840959.0000025AF5E7A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1495169379.0000025AF5E7A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.youtube.com (Youtube)
Source: firefox.exe, 00000013.00000003.1348840959.0000025AF5E7A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1486529035.0000025AF64DD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1495169379.0000025AF5E7A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000013.00000003.1348840959.0000025AF5E7A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1486529035.0000025AF64DD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1495169379.0000025AF5E7A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000013.00000003.1348840959.0000025AF5E7A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1486529035.0000025AF64DD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1495169379.0000025AF5E7A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2509914646.0000020C64603000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/h equals www.facebook.com (Facebook)
Source: firefox.exe, 00000018.00000002.2509914646.0000020C64603000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/h equals www.twitter.com (Twitter)
Source: firefox.exe, 00000018.00000002.2509914646.0000020C64603000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/h equals www.youtube.com (Youtube)
Source: firefox.exe, 00000013.00000003.1440718396.0000025AF4C1A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moz-extension://2a8a4ba3-32a0-495a-bbc2-63871e7b7005/injections/js/bug1842437-www.youtube.com-performance-now-precision.js equals www.youtube.com (Youtube)
Source: firefox.exe, 00000013.00000003.1506822817.0000025B02498000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1498514172.0000025AF4F26000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1489680595.0000025AF54FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 00000013.00000003.1505800358.0000025B02498000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1505529122.0000025B02498000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.facebook.comd+- equals www.facebook.com (Facebook)
Source: firefox.exe, 00000013.00000003.1505800358.0000025B02498000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1497972901.0000025AF4FCB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1497057512.0000025AF5298000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000013.00000003.1492152880.0000025AFD793000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.7:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.7:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.7:49761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.7:49770 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.7:49780 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49779 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49787 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49805 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.7:49806 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.129.91:443 -> 192.168.2.7:49809 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.7:49815 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49818 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49816 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49817 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49889 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49888 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49887 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49885 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49886 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49890 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49895 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49894 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 49890 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49889 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49972
Source: unknown	Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49886 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49972 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49887 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49895 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49894 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49885 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49895
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49894
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49890
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49889
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49888
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49887
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49886
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49885
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49872
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49888 -> 443

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_b672e7be-f06e-420f-8837-2df4b1b7a82a.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_b672e7be-f06e-420f-8837-2df4b1b7a82a.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre