Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1561859
MD5:	89dd8a448515dcc941c852ea2f54d652
SHA1:	a303ccebb2201027d7eb6a0353229ee062ad9ec8
SHA256:	3f204d722304997944321470753704bbeedc99ce834daca201c68ab669706efd
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 6948 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 89DD8A448515DCC941C852EA2F54D652)

taskkill.exe (PID: 4844 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 1516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 984 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 4592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 1440 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 6632 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 6548 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 6728 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 5036 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 3920 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 3176 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2184 -parentBuildID 20230927232528 -prefsHandle 2128 -prefMapHandle 2120 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed1a580a-f66e-4919-9609-aeed2be66e0b} 3920 "\\.\pipe\gecko-crash-server-pipe.3920" 20c58b6f710 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7656 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3728 -parentBuildID 20230927232528 -prefsHandle 4012 -prefMapHandle 3700 -prefsLen 26395 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dd08fa81-ebde-40ab-88fb-74e4bf2085ce} 3920 "\\.\pipe\gecko-crash-server-pipe.3920" 20c704da910 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 8124 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4948 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5032 -prefMapHandle 5028 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {559a0b05-97a8-4031-b5ef-464ac3f9e4d4} 3920 "\\.\pipe\gecko-crash-server-pipe.3920" 20c69f72f10 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 6948	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_0040EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0040EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0040ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0040ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_0040EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003FAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_003FAA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00429576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00429576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_982dd974-6
Source: file.exe, 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_425b8486-7
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_53b3ecd9-1
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_0dfd67f6-0

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_00000189FB4C4DF7 NtQuerySystemInformation,		17_2_00000189FB4C4DF7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_00000189FB4EB632 NtQuerySystemInformation,		17_2_00000189FB4EB632

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003FD5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_003FD5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003F1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_003F1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003FE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_003FE8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0039BF40	0_2_0039BF40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00402046	0_2_00402046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00398060	0_2_00398060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003F8298	0_2_003F8298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003CE4FF	0_2_003CE4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003C676B	0_2_003C676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00424873	0_2_00424873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003BCAA0	0_2_003BCAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0039CAF0	0_2_0039CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003ACC39	0_2_003ACC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003C6DD9	0_2_003C6DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003AB119	0_2_003AB119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003991C0	0_2_003991C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003B1394	0_2_003B1394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003B1706	0_2_003B1706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003B781B	0_2_003B781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00397920	0_2_00397920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003A997D	0_2_003A997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003B19B0	0_2_003B19B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003B7A4A	0_2_003B7A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003B1C77	0_2_003B1C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003B7CA7	0_2_003B7CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041BE44	0_2_0041BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003C9EEE	0_2_003C9EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003B1F32	0_2_003B1F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_00000189FB4C4DF7	17_2_00000189FB4C4DF7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_00000189FB4EB632	17_2_00000189FB4EB632
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_00000189FB4EB672	17_2_00000189FB4EB672
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_00000189FB4EBD5C	17_2_00000189FB4EBD5C

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 003AF9F2 appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 003B0A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00399CB3 appears 31 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal64.troj.evad.winEXE@34/34@68/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004037B5 GetLastError,FormatMessageW,

0_2_004037B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003F10BF AdjustTokenPrivileges,CloseHandle,		0_2_003F10BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003F16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_003F16C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004051CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_004051CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003FD4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_003FD4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0040648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0040648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003942A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_003942A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1516:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:432:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7088:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6688:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4592:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000E.00000003.2309472519.0000020C742A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2259930253.0000020C74997000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000E.00000003.2262713091.0000020C74593000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2291797834.0000020C74593000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2262713091.0000020C745BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2291797834.0000020C745BA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2184 -parentBuildID 20230927232528 -prefsHandle 2128 -prefMapHandle 2120 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed1a580a-f66e-4919-9609-aeed2be66e0b} 3920 "\\.\pipe\gecko-crash-server-pipe.3920" 20c58b6f710 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3728 -parentBuildID 20230927232528 -prefsHandle 4012 -prefMapHandle 3700 -prefsLen 26395 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dd08fa81-ebde-40ab-88fb-74e4bf2085ce} 3920 "\\.\pipe\gecko-crash-server-pipe.3920" 20c704da910 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4948 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5032 -prefMapHandle 5028 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {559a0b05-97a8-4031-b5ef-464ac3f9e4d4} 3920 "\\.\pipe\gecko-crash-server-pipe.3920" 20c69f72f10 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2184 -parentBuildID 20230927232528 -prefsHandle 2128 -prefMapHandle 2120 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed1a580a-f66e-4919-9609-aeed2be66e0b} 3920 "\\.\pipe\gecko-crash-server-pipe.3920" 20c58b6f710 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3728 -parentBuildID 20230927232528 -prefsHandle 4012 -prefMapHandle 3700 -prefsLen 26395 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dd08fa81-ebde-40ab-88fb-74e4bf2085ce} 3920 "\\.\pipe\gecko-crash-server-pipe.3920" 20c704da910 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4948 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5032 -prefMapHandle 5028 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {559a0b05-97a8-4031-b5ef-464ac3f9e4d4} 3920 "\\.\pipe\gecko-crash-server-pipe.3920" 20c69f72f10 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: webauthn.pdb source: firefox.exe, 0000000E.00000003.2213938907.0000020C74CC1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: webauthn.pdbGCTL source: firefox.exe, 0000000E.00000003.2213938907.0000020C74CC1000.00000004.00000020.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003942DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_003942DE

Source: gmpopenh264.dll.tmp.14.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003B0A76 push ecx; ret

0_2_003B0A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003AF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_003AF98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00421C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00421C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-96505

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 17_2_00000189FB4C4DF7 rdtsc

17_2_00000189FB4C4DF7

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.6 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003FDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_003FDBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003CC2A2 FindFirstFileExW,	0_2_003CC2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004068EE FindFirstFileW,FindClose,	0_2_004068EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0040698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003FD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_003FD076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003FD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_003FD3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00409642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00409642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0040979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00409B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00409B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00405C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003942DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_003942DE

Source: firefox.exe, 00000010.00000002.3369930851.000002ABCF06A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3375249912.00000189FB060000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3368503773.00000189FA8BA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3370093935.0000021FD9E5A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3376117249.0000021FDA230000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 00000010.00000002.3377537986.000002ABCF940000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllg=
Source: firefox.exe, 00000010.00000002.3376650747.000002ABCF517000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000010.00000002.3377537986.000002ABCF940000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3375249912.00000189FB060000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 17_2_00000189FB4C4DF7 rdtsc

17_2_00000189FB4C4DF7

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0040EAA2 BlockInput,

0_2_0040EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003C2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_003C2622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003942DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_003942DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003B4CE8 mov eax, dword ptr fs:[00000030h]

0_2_003B4CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003F0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_003F0B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003C2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_003C2622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003B083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_003B083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003B09D5 SetUnhandledExceptionFilter,	0_2_003B09D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003B0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_003B0C21

Source: C:\Users\user\Desktop\file.exe

0_2_003F1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003D2BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_003D2BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003FB226 SendInput,keybd_event,

0_2_003FB226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004122DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_004122DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_003F0B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003F1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_003F1663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd
Source: firefox.exe, 0000000E.00000003.2221579332.0000020C74DBB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hSoftware\Policies\Microsoft\Windows\PersonalizationNoChangingStartMenuBackgroundPersonalColors_BackgroundWilStaging_02RtlDisownModuleHeapAllocationRtlQueryFeatureConfigurationRtlRegisterFeatureConfigurationChangeNotificationRtlSubscribeWnfStateChangeNotificationRtlDllShutdownInProgressntdll.dllNtQueryWnfStateDataLocal\SM0:%d:%d:%hs_p0Local\SessionImmersiveColorPreferenceBEGINTHMthmfile\Sessions\%d\Windows\ThemeSectionMessageWindowendthemewndThemeApiConnectionRequest\ThemeApiPortwinsta0SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\PersonalizeAppsUseLightThemeSystemUsesLightThemedefaultshell\themes\uxtheme\render.cppCompositedWindow::WindowdeletedrcacheMDIClientSoftware\Microsoft\Windows\DWMColorPrevalenceSoftware\Microsoft\Windows\CurrentVersion\ImmersiveShellTabletModeMENUAccentColorSoftware\Microsoft\Windows\CurrentVersion\Explorer\AccentDefaultStartColorControl Panel\DesktopAutoColorizationAccentColorMenuStartColorMenuAutoColorSoftware\Microsoft\Windows\CurrentVersion\Themes\History\ColorsSoftware\Microsoft\Windows\CurrentVersion\Themes\HistoryAccentPaletteTab$Shell_TrayWndLocal\SessionImmersiveColorMutex

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003B0698 cpuid

0_2_003B0698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00408195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00408195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003ED27A GetUserNameW,

0_2_003ED27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003CB952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_003CB952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003942DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_003942DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 6948, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 6948, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00411204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00411204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00411806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00411806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	high
star-mini.c10r.facebook.com	157.240.196.35	true	false	high
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	high
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	high
twitter.com	104.244.42.65	true	false	high
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	high
services.addons.mozilla.org	151.101.129.91	true	false	high
dyna.wikimedia.org	185.15.58.224	true	false	high
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	high
contile.services.mozilla.com	34.117.188.166	true	false	high
youtube.com	142.250.181.142	true	false	high
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	high
youtube-ui.l.google.com	172.217.21.46	true	false	high
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	high
reddit.map.fastly.net	151.101.1.140	true	false	high
ipv4only.arpa	192.0.0.171	true	false	high
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	high
push.services.mozilla.com	34.107.243.93	true	false	high
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	high
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	high
www.reddit.com	unknown	unknown	false	high
spocs.getpocket.com	unknown	unknown	false	high
content-signature-2.cdn.mozilla.net	unknown	unknown	false	high
support.mozilla.org	unknown	unknown	false	high
firefox.settings.services.mozilla.com	unknown	unknown	false	high
www.youtube.com	unknown	unknown	false	high
www.facebook.com	unknown	unknown	false	high
detectportal.firefox.com	unknown	unknown	false	high
normandy.cdn.mozilla.net	unknown	unknown	false	high
shavar.services.mozilla.com	unknown	unknown	false	high
www.wikipedia.org	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://youtube.comZ	firefox.exe, 0000000E.00000003.2311714278.000019F446603000.00000004.00000800.00020000.00000000.sdmp	false	high
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 00000010.00000002.3371316511.000002ABCF1C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3370783820.00000189FAA90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3370924294.0000021FD9F80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1678942	firefox.exe, 0000000E.00000003.2201222429.0000020C69EA9000.00000004.00000800.00020000.00000000.sdmp	false	high
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 0000000E.00000003.2319675132.0000020C70770000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2295403485.0000020C70E15000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3371536927.00000189FABC7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3371433753.0000021FDA1C4000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 00000010.00000002.3371316511.000002ABCF1C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3370783820.00000189FAA90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3370924294.0000021FD9F80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000E.00000003.2300410795.0000020C6A635000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2327155638.0000020C6A5BC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2301799228.0000020C6A5BC000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.mozilla.com0	gmpopenh264.dll.tmp.14.dr	false	high
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000E.00000003.2173374445.0000020C7096D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2263684578.0000020C7096F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	firefox.exe, 00000010.00000002.3372300667.000002ABCF4C8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3371536927.00000189FABE9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3376422590.0000021FDA403000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	high
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000011.00000002.3371536927.00000189FAB86000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3371433753.0000021FDA18F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://json-schema.org/draft/2019-09/schema.	firefox.exe, 0000000E.00000003.2335636068.0000020C694A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2331553004.0000020C694A2000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 00000010.00000002.3371316511.000002ABCF1C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3370783820.00000189FAA90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3370924294.0000021FD9F80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.leboncoin.fr/	firefox.exe, 0000000E.00000003.2323924248.0000020C71F86000.00000004.00000800.00020000.00000000.sdmp	false	high
https://spocs.getpocket.com/spocs	firefox.exe, 0000000E.00000003.2340556386.0000020C749A7000.00000004.00000800.00020000.00000000.sdmp	false	high
https://screenshots.firefox.com	firefox.exe, 0000000E.00000003.2339108146.0000020C66467000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2338897959.0000020C67B86000.00000004.00000800.00020000.00000000.sdmp	false	high
https://shavar.services.mozilla.com	firefox.exe, 0000000E.00000003.2300410795.0000020C6A6AE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000E.00000003.2266074500.0000020C70846000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 00000010.00000002.3371316511.000002ABCF1C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3370783820.00000189FAA90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3370924294.0000021FD9F80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000E.00000003.2327631873.0000020C6A1D1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 0000000E.00000003.2309472519.0000020C742E8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 00000010.00000002.3371316511.000002ABCF1C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3370783820.00000189FAA90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3370924294.0000021FD9F80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/breach-details/	firefox.exe, 00000010.00000002.3371316511.000002ABCF1C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3370783820.00000189FAA90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3370924294.0000021FD9F80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 00000010.00000002.3371316511.000002ABCF1C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3370783820.00000189FAA90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3370924294.0000021FD9F80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://xhr.spec.whatwg.org/#sync-warning	firefox.exe, 0000000E.00000003.2296757789.0000020C70865000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2265567272.0000020C70865000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000E.00000003.2319150996.0000020C70ADF000.00000004.00000800.00020000.00000000.sdmp	false	high
https://profiler.firefox.com/	firefox.exe, 0000000E.00000003.2338897959.0000020C67B86000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.msn.com	firefox.exe, 0000000E.00000003.2324902296.0000020C6BEE2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2296907365.0000020C6BEE2000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000E.00000003.2152802053.0000020C68660000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2152239715.0000020C6861D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2152450193.0000020C6863E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2152043158.0000020C68400000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 00000010.00000002.3371316511.000002ABCF1C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3370783820.00000189FAA90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3370924294.0000021FD9F80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 00000010.00000002.3371316511.000002ABCF1C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3370783820.00000189FAA90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3370924294.0000021FD9F80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 00000010.00000002.3371316511.000002ABCF1C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3370783820.00000189FAA90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3370924294.0000021FD9F80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://youtube.com/	firefox.exe, 0000000E.00000003.2299973093.0000020C6B00D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2324746218.0000020C70481000.00000004.00000800.00020000.00000000.sdmp	false	high
https://json-schema.org/draft/2020-12/schema/=	firefox.exe, 0000000E.00000003.2335636068.0000020C694A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2331553004.0000020C694A2000.00000004.00000800.00020000.00000000.sdmp	false	high
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	firefox.exe, 0000000E.00000003.2309605138.0000020C74258000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.instagram.com/	firefox.exe, 0000000E.00000003.2194224549.0000020C6A3AE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2193423898.0000020C6A3AE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2195667106.0000020C6A3AE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2192602723.0000020C6A3AE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2191181714.0000020C6A3AE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 00000010.00000002.3371316511.000002ABCF1C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3370783820.00000189FAA90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3370924294.0000021FD9F80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://api.accounts.firefox.com/v1	firefox.exe, 00000010.00000002.3371316511.000002ABCF1C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3370783820.00000189FAA90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3370924294.0000021FD9F80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://ok.ru/	firefox.exe, 0000000E.00000003.2346688658.0000020C6AF5F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.amazon.com/	firefox.exe, 0000000E.00000003.2291797834.0000020C745BA000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 00000010.00000002.3371316511.000002ABCF1C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3370783820.00000189FAA90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3370924294.0000021FD9F80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://fpn.firefox.com	firefox.exe, 0000000E.00000003.2339108146.0000020C66496000.00000004.00000800.00020000.00000000.sdmp	false	high
https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=118.0&pver=2.2	firefox.exe, 0000000E.00000003.2301556952.0000020C6A5F9000.00000004.00000800.00020000.00000000.sdmp	false	high
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	firefox.exe, 0000000E.00000003.2296757789.0000020C70865000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2265567272.0000020C70865000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 00000010.00000002.3371316511.000002ABCF1C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3370783820.00000189FAA90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3370924294.0000021FD9F80000.00000002.10000000.00040000.00000000.sdmp	false	high
http://ocsp.rootca1.amazontrust.com0:	firefox.exe, 0000000E.00000003.2329988794.0000020C698EC000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.youtube.com/	firefox.exe, 0000000E.00000003.2291797834.0000020C745BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3371536927.00000189FAB03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3371433753.0000021FDA10C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000E.00000003.2199223454.0000020C69E8F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 00000010.00000002.3371316511.000002ABCF1C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3370783820.00000189FAA90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3370924294.0000021FD9F80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.bbc.co.uk/	firefox.exe, 0000000E.00000003.2323924248.0000020C71F86000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 0000000E.00000003.2309605138.0000020C74246000.00000004.00000800.00020000.00000000.sdmp	false	high
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 0000000E.00000003.2264116831.0000020C70B82000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3371536927.00000189FABC7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3371433753.0000021FDA1C4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://127.0.0.1:	firefox.exe, 0000000E.00000003.2337020392.0000020C68481000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3371316511.000002ABCF1C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3370783820.00000189FAA90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3370924294.0000021FD9F80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000E.00000003.2201222429.0000020C69EA9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2199223454.0000020C69E8F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000E.00000003.2275893326.0000020C67FB8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mo	firefox.exe, 0000000E.00000003.2185506715.0000020C69F9D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2329571447.0000020C69FE4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2185506715.0000020C69FE4000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mitmdetection.services.mozilla.com/	firefox.exe, 00000010.00000002.3371316511.000002ABCF1C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3370783820.00000189FAA90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3370924294.0000021FD9F80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://amazon.com	firefox.exe, 0000000E.00000003.2311600707.000033BB89C03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2311714278.000019F446603000.00000004.00000800.00020000.00000000.sdmp	false	high
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 0000000E.00000003.2327631873.0000020C6A1D1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://youtube.com/account?=	recovery.jsonlz4.tmp.14.dr	false	high
https://shavar.services.mozilla.com/	firefox.exe, 0000000E.00000003.2325828278.0000020C6A6AE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	firefox.exe, 0000000E.00000003.2335636068.0000020C694AE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	firefox.exe, 00000010.00000002.3372300667.000002ABCF4C8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3371536927.00000189FABE9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3376422590.0000021FDA403000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	high
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477	firefox.exe, 00000010.00000002.3372300667.000002ABCF4C8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3371536927.00000189FABE9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3376422590.0000021FDA403000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	high
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	firefox.exe, 0000000E.00000003.2265567272.0000020C70865000.00000004.00000800.00020000.00000000.sdmp	false	high
https://spocs.getpocket.com/	firefox.exe, 00000012.00000002.3371433753.0000021FDA113000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 00000010.00000002.3371316511.000002ABCF1C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3370783820.00000189FAA90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3370924294.0000021FD9F80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 00000010.00000002.3371316511.000002ABCF1C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3370783820.00000189FAA90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3370924294.0000021FD9F80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 00000010.00000002.3371316511.000002ABCF1C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3370783820.00000189FAA90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3370924294.0000021FD9F80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.iqiyi.com/	firefox.exe, 0000000E.00000003.2323924248.0000020C71F86000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2346688658.0000020C6AF5F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://youtube.comp	firefox.exe, 0000000E.00000003.2176919948.0000020C6B1BC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2299302365.0000020C6B1BC000.00000004.00000800.00020000.00000000.sdmp	false	high
https://youtube.com/account?=https://accounts.google.co	firefox.exe, 00000012.00000002.3375679737.0000021FDA220000.00000004.00000020.00020000.00000000.sdmp	false	high
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 00000010.00000002.3371316511.000002ABCF1C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3370783820.00000189FAA90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3370924294.0000021FD9F80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 00000010.00000002.3371316511.000002ABCF1C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3370783820.00000189FAA90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3370924294.0000021FD9F80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.amazon.com/Z	firefox.exe, 0000000E.00000003.2311600707.000033BB89C03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2311714278.000019F446603000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 00000010.00000002.3371316511.000002ABCF1C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3370783820.00000189FAA90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3370924294.0000021FD9F80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://merino.services.mozilla.com/api/v1/suggestabout	firefox.exe, 00000012.00000002.3371433753.0000021FDA18F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	prefs-1.js.14.dr	false	high
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 00000010.00000002.3371316511.000002ABCF1C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3370783820.00000189FAA90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3370924294.0000021FD9F80000.00000002.10000000.00040000.00000000.sdmp	false	high
http://www.inbox.lv/rfc2368/?value=%su	firefox.exe, 0000000E.00000003.2338550647.0000020C67BC2000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/user/dashboard	firefox.exe, 00000010.00000002.3371316511.000002ABCF1C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3370783820.00000189FAA90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3370924294.0000021FD9F80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1170143	firefox.exe, 0000000E.00000003.2201222429.0000020C69EA9000.00000004.00000800.00020000.00000000.sdmp	false	high
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 00000010.00000002.3371316511.000002ABCF1C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3370783820.00000189FAA90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3370924294.0000021FD9F80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/about	firefox.exe, 00000010.00000002.3371316511.000002ABCF1C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3370783820.00000189FAA90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3370924294.0000021FD9F80000.00000002.10000000.00040000.00000000.sdmp	false	high
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000E.00000003.2275893326.0000020C67FCC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2193423898.0000020C6A3A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2321952209.0000020C690F9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2324902296.0000020C6BED1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2154617677.0000020C68662000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2195667106.0000020C6A3B5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2274873268.0000020C6A0A1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2297509309.0000020C6BE72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2299652445.0000020C6B16F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2258109420.0000020C67F77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2313613439.0000020C6A03F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2336304773.0000020C68E9C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2259701378.0000020C67F68000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2259219506.0000020C67FC0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2266074500.0000020C70822000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2275893326.0000020C67FB8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261404207.0000020C6A3A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2192602723.0000020C6A3B5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2274462133.0000020C6A33B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2193423898.0000020C6A3B5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2337521397.0000020C6835B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://account.bellmedia.c	firefox.exe, 0000000E.00000003.2324902296.0000020C6BEE2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2296907365.0000020C6BEE2000.00000004.00000800.00020000.00000000.sdmp	false	high
https://login.microsoftonline.com	firefox.exe, 0000000E.00000003.2324902296.0000020C6BEE2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2296907365.0000020C6BEE2000.00000004.00000800.00020000.00000000.sdmp	false	high
https://coverage.mozilla.org	firefox.exe, 00000010.00000002.3371316511.000002ABCF1C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3370783820.00000189FAA90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3370924294.0000021FD9F80000.00000002.10000000.00040000.00000000.sdmp	false	high
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.14.dr	false	high
https://www.zhihu.com/	firefox.exe, 0000000E.00000003.2346688658.0000020C6AF5F000.00000004.00000800.00020000.00000000.sdmp	false	high
http://x1.c.lencr.org/0	firefox.exe, 0000000E.00000003.2265213230.0000020C70B22000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2301799228.0000020C6A5BC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2329988794.0000020C698EC000.00000004.00000800.00020000.00000000.sdmp	false	high
http://x1.i.lencr.org/0	firefox.exe, 0000000E.00000003.2265213230.0000020C70B22000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2301799228.0000020C6A5BC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2329988794.0000020C698EC000.00000004.00000800.00020000.00000000.sdmp	false	high
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000E.00000003.2173374445.0000020C7096D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2263684578.0000020C7096F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://blocked.cdn.mozilla.net/	firefox.exe, 00000010.00000002.3371316511.000002ABCF1C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3370783820.00000189FAA90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3370924294.0000021FD9F80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	firefox.exe, 0000000E.00000003.2296757789.0000020C70865000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2265567272.0000020C70865000.00000004.00000800.00020000.00000000.sdmp	false	high
https://json-schema.org/draft/2019-09/schema	firefox.exe, 0000000E.00000003.2309743353.0000020C71F9A000.00000004.00000800.00020000.00000000.sdmp	false	high
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	firefox.exe, 0000000E.00000003.2296757789.0000020C70865000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2265567272.0000020C70865000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/?t=ffab&q=	firefox.exe, 0000000E.00000003.2299340401.0000020C6B195000.00000004.00000800.00020000.00000000.sdmp	false	high
https://profiler.firefox.com	firefox.exe, 00000010.00000002.3371316511.000002ABCF1C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3370783820.00000189FAA90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3370924294.0000021FD9F80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 0000000E.00000003.2338550647.0000020C67BC2000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=793869	firefox.exe, 0000000E.00000003.2201222429.0000020C69EA9000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.181.142	youtube.com	United States	15169	GOOGLEUS	false
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
151.101.129.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1561859
Start date and time:	2024-11-24 14:55:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal64.troj.evad.winEXE@34/34@68/12
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 95% Number of executed functions: 38 Number of non-executed functions: 313
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 34.209.229.249, 52.27.142.243, 52.32.237.164, 172.217.17.46, 23.200.87.12, 23.200.86.251, 172.217.17.74
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, otelrules.azureedge.net, slscr.update.microsoft.com, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
08:56:18	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.129.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.160.144.191	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	lw2HMxuVuf.exe	Get hash	malicious	Unknown	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
services.addons.mozilla.org	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Amadey, Clipboard Hijacker, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	34.116.198.130
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	34.116.198.130
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	34.116.198.130
	lw2HMxuVuf.exe	Get hash	malicious	Unknown	Browse	34.117.223.223
	mDHwap5GlV.exe	Get hash	malicious	LummaC Stealer	Browse	34.117.59.81
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
FASTLYUS	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	zapret.exe	Get hash	malicious	Unknown	Browse	185.199.111.133
	file.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	185.199.110.133
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	lw2HMxuVuf.exe	Get hash	malicious	Unknown	Browse	34.160.176.28
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	zgp.elf	Get hash	malicious	Mirai	Browse	56.101.120.102

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_89fa439a-470f-47e7-a860-228bb43532e5.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.171112669516081
Encrypted:	false
SSDEEP:	192:WaKMX/LccbhbVbTbfbRbObtbyEl7nUrFJA6wnSrDtTkd/SF:WaP4cNhnzFSJ0rAjnSrDhkd/o
MD5:	0D81C9482063EEC5AE5FB171C7D1F0FA
SHA1:	A3B20DA84C845D981AFA9ECB66A8232A03AEFEFA
SHA-256:	77C563321365B63C1CC5FAB1C1735C92B9D475BF3CCB6C013C0EB230286C8449
SHA-512:	6D073676DD6659E3CEEE98DAD34BA3818B4E5F562FFD12B736E128A08F9D4FA5A91F347003A9EDC16C2435562E56165AF5F0BAAD4567C730E0B20D11731AA036
Malicious:	false
Preview:	{"type":"uninstall","id":"89fa439a-470f-47e7-a860-228bb43532e5","creationDate":"2024-11-24T15:07:14.681Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_89fa439a-470f-47e7-a860-228bb43532e5.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.171112669516081
Encrypted:	false
SSDEEP:	192:WaKMX/LccbhbVbTbfbRbObtbyEl7nUrFJA6wnSrDtTkd/SF:WaP4cNhnzFSJ0rAjnSrDhkd/o
MD5:	0D81C9482063EEC5AE5FB171C7D1F0FA
SHA1:	A3B20DA84C845D981AFA9ECB66A8232A03AEFEFA
SHA-256:	77C563321365B63C1CC5FAB1C1735C92B9D475BF3CCB6C013C0EB230286C8449
SHA-512:	6D073676DD6659E3CEEE98DAD34BA3818B4E5F562FFD12B736E128A08F9D4FA5A91F347003A9EDC16C2435562E56165AF5F0BAAD4567C730E0B20D11731AA036
Malicious:	false
Preview:	{"type":"uninstall","id":"89fa439a-470f-47e7-a860-228bb43532e5","creationDate":"2024-11-24T15:07:14.681Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.9237376711977685
Encrypted:	false
SSDEEP:	48:YnSwkmrOVPUFRbOdwNIOdoWLEWLtkDZuwpx5FBvipA6kb92the6LuhakNR9gxeln:8S+OVPUFRbOdwNIOdYpjvY1Q6L6W8P
MD5:	A8243370C1015FAEEBBF29C107460CED
SHA1:	D5CC5D8BE69305F452E6495DB44CC083786833C0
SHA-256:	754C3ACC4326B5EF3091982BE48225D0AA799E4EEB1FD915F321C8921B33E816
SHA-512:	8DECBA0BE97A8FAA650719A7DDAA8944041ED17AFBEB48314FA927647CDD88FC2EFFB77C7C57B1112303AA3304F2B95352EB1D96EA501FEFDC90DBEBABA54C42
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"3ba649bc-be47-4b92-8762-21cab57bda3b","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-04T13:40:33.697Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.9237376711977685
Encrypted:	false
SSDEEP:	48:YnSwkmrOVPUFRbOdwNIOdoWLEWLtkDZuwpx5FBvipA6kb92the6LuhakNR9gxeln:8S+OVPUFRbOdwNIOdYpjvY1Q6L6W8P
MD5:	A8243370C1015FAEEBBF29C107460CED
SHA1:	D5CC5D8BE69305F452E6495DB44CC083786833C0
SHA-256:	754C3ACC4326B5EF3091982BE48225D0AA799E4EEB1FD915F321C8921B33E816
SHA-512:	8DECBA0BE97A8FAA650719A7DDAA8944041ED17AFBEB48314FA927647CDD88FC2EFFB77C7C57B1112303AA3304F2B95352EB1D96EA501FEFDC90DBEBABA54C42
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"3ba649bc-be47-4b92-8762-21cab57bda3b","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-04T13:40:33.697Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5308
Entropy (8bit):	6.599374203470186
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6Uhm:zTx2x2t0FDJ4NpkuvjdeplTMohm
MD5:	EB56C2F4DA9435F3D5574161F414CD17
SHA1:	74A8FC3EC0559740FD9D835B638354985E2DEAB6
SHA-256:	394E803D5FF8E156DFA7D15E96B51A683F4624A1BCF88EAA532399AC2C9B0966
SHA-512:	DF90568D191C757392FB85BDDA5333C7FE7E3BB370C5DE8C50DD810B938D732E39B5608FB4494CAADAE99E1601989FDFC0FEBDCF70F27FFE581F904170A81E0F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5308
Entropy (8bit):	6.599374203470186
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6Uhm:zTx2x2t0FDJ4NpkuvjdeplTMohm
MD5:	EB56C2F4DA9435F3D5574161F414CD17
SHA1:	74A8FC3EC0559740FD9D835B638354985E2DEAB6
SHA-256:	394E803D5FF8E156DFA7D15E96B51A683F4624A1BCF88EAA532399AC2C9B0966
SHA-512:	DF90568D191C757392FB85BDDA5333C7FE7E3BB370C5DE8C50DD810B938D732E39B5608FB4494CAADAE99E1601989FDFC0FEBDCF70F27FFE581F904170A81E0F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 4
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905141882491872
Encrypted:	false
SSDEEP:	24:DLSvwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:DKwae+QtMImelekKDa5
MD5:	8736A542C5564A922C47B19D9CC5E0F2
SHA1:	CE9D58967DA9B5356D6C1D8A482F9CE74DA9097A
SHA-256:	97CE5D8AFBB0AA610219C4FAC3927E32C91BFFD9FD971AF68C718E7B27E40077
SHA-512:	99777325893DC7A95FD49B2DA18D32D65F97CC7A8E482D78EDC32F63245457FA5A52750800C074D552D20B6A215604161FDC88763D93C76A8703470C3064196B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.1867463390487
Encrypted:	false
SSDEEP:	768:JI4avfWX94O6L4x4ME454N4ohvM4T4Pia4T4I4t54U:JI4KvG
MD5:	98875950B62B398FFE70C0A8D0998017
SHA1:	CFCFFF938402E53D341FE392E25D2E6C557E548F
SHA-256:	1B445C7E12712026D4E663426527CE58FD221D2E26545AEA699E67D60F16E7F0
SHA-512:	728FF6FF915A45B44D720F41F9545F41F1BF5FB218D58073BD27DB19145D2225488988BE80FB0F712922D7B661E1A64448E3F71F09A1480B6F20BD2480888ABF
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{7a5650ac-9a89-4807-a040-9f0832bf39a9}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.1867463390487
Encrypted:	false
SSDEEP:	768:JI4avfWX94O6L4x4ME454N4ohvM4T4Pia4T4I4t54U:JI4KvG
MD5:	98875950B62B398FFE70C0A8D0998017
SHA1:	CFCFFF938402E53D341FE392E25D2E6C557E548F
SHA-256:	1B445C7E12712026D4E663426527CE58FD221D2E26545AEA699E67D60F16E7F0
SHA-512:	728FF6FF915A45B44D720F41F9545F41F1BF5FB218D58073BD27DB19145D2225488988BE80FB0F712922D7B661E1A64448E3F71F09A1480B6F20BD2480888ABF
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{7a5650ac-9a89-4807-a040-9f0832bf39a9}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07332591664048393
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zkip:DLhesh7Owd4+jip
MD5:	CB3288BC1C012DDA62B7C60E79354276
SHA1:	F0BCEAD42136DE3F6ED92A33FB8E82D074492F1B
SHA-256:	2041040E200591F2A66E9A19B254384E154E0AB25A885F48993C3D11B205928D
SHA-512:	EBDA5B29F02C5BF2AD3DBD49257EF3BA08AF89CFEECDD3337C2BFAC124DF45A7BBD13BD70C2BB6F72C55516FADFFDFED9384029F05E2C60370E04E5DCA80C26D
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.035455806264726504
Encrypted:	false
SSDEEP:	3:GtlstFhsmkcFhG5l1lstFhsmkcFhGi/lT89//alEl:GtWtYmVFkxWtYmVFki/J89XuM
MD5:	4EBD5BFB70C29DB2E36564978AB4F239
SHA1:	BB1DDAB47B81FA82C3262519A3816861C00FCF03
SHA-256:	D72970D510F9B4ED6850C51F5476B61EBE371B3EBB59A4FF45301FD3A81A64B8
SHA-512:	EAC81F30134C225C428689740ED144D887655D706357414DE2DB53F6169F2CBB89FB18E13C32725FBF497E5341C2772A7121C792CF1135E40A48F9FDAAEEF62A
Malicious:	false
Preview:	..-.......................(CE...E!9......UQe'..C..-.......................(CE...E!9......UQe'..C........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.039182506823949415
Encrypted:	false
SSDEEP:	3:Ol1Z0/pfwlIgZ3C+szvtiwl8rEXsxdwhml8XW3R2:KTnS+szFll8dMhm93w
MD5:	7CB1751C692156F15AFCA672E4753896
SHA1:	F9792750B2907BC76E87FA3BD3CEE135612CE400
SHA-256:	11E3FDCFCEF70332DFD9B19CB51CC01BD7AE497C11563290812A4BCD263423AB
SHA-512:	BCAFC279B48EEE940291E426AFC243A2C88FE2A8E0D9715FC3C21298DE5B6033258CAFD6EB5566F03DE97AC881250FF62E96D93683378176C12DE08A77731369
Malicious:	false
Preview:	7....-..........E!9.......$X............E!9.....C(.....E................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1743), with CRLF line terminators
Category:	dropped
Size (bytes):	13187
Entropy (8bit):	5.476737461530131
Encrypted:	false
SSDEEP:	192:nnPOeRnLYbBp6kJ0aX+r6SEXKSfNS55RHWNBw8dYSl:PDetJU+zVCHEw30
MD5:	7EB6196CFA6422137A9B23E612DFF2B6
SHA1:	1793A75446237DAA38A0D7ED8E7D7ECEE0B48B87
SHA-256:	F96C12062E1746985070F91A576C67D1451DEFBD48B8245E55E0FDED0B9DE73E
SHA-512:	DD27EEC0816E3E8154E0DA65513F269BB762C9A1A7C06D6186A94243C66BF7CD43ABA48B8988E094F0219A42865F4372B9EFE53AB4BB7AD67B84F55DFEF28711
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1732460804);..user_pref("app.update.lastUpdateTime.background-update-timer", 1732460804);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1732460804);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173246

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1743), with CRLF line terminators
Category:	dropped
Size (bytes):	13187
Entropy (8bit):	5.476737461530131
Encrypted:	false
SSDEEP:	192:nnPOeRnLYbBp6kJ0aX+r6SEXKSfNS55RHWNBw8dYSl:PDetJU+zVCHEw30
MD5:	7EB6196CFA6422137A9B23E612DFF2B6
SHA1:	1793A75446237DAA38A0D7ED8E7D7ECEE0B48B87
SHA-256:	F96C12062E1746985070F91A576C67D1451DEFBD48B8245E55E0FDED0B9DE73E
SHA-512:	DD27EEC0816E3E8154E0DA65513F269BB762C9A1A7C06D6186A94243C66BF7CD43ABA48B8988E094F0219A42865F4372B9EFE53AB4BB7AD67B84F55DFEF28711
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1732460804);..user_pref("app.update.lastUpdateTime.background-update-timer", 1732460804);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1732460804);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173246

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	3:lSGBl/l/zl9l/AltllPltlnKollzvulJOlzALRWemFxu7TuRjBFbrl58lcV+wgn8:ltBl/lqN1K4BEJYqWvLue3FMOrMZ0l
MD5:	60C09456D6362C6FBED48C69AA342C3C
SHA1:	58B6E22DAA48C75958B429F662DEC1C011AE74D3
SHA-256:	FE1A432A2CD096B7EEA870D46D07F5197E34B4D10666E6E1C357FAA3F2FE2389
SHA-512:	936DBC887276EF07732783B50EAFE450A8598B0492B8F6C838B337EF3E8A6EA595E7C7A2FA4B3E881887FAAE2D207B953A4C65ED8C964D93118E00D3E03882BD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1570
Entropy (8bit):	6.339390907232971
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSRLXnIrY/pnxQwRcWT5sKmgb0v3eHVpjO+6amhujJwO2c0TiVm0BtT:GUpOxM5nRcoegi3erjx64Jwc3zBtT
MD5:	6A74390091FEAA2DE0CF3743DE67A93E
SHA1:	9D9F6896F8A5834485D9D73FEC5CD3BDB158939D
SHA-256:	40CF221A0978BF2368953322EA21E8D9F029C1F6989D1B148CD3C2369A901611
SHA-512:	2CF9392C64F1819D474B798BAD9B0E5A646C449869C9BFFE134E1CCC14D27616BD3CF207337D94743A75082AEBC4344AD79788FBD9CD92D9C702982F4B9F1606
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{1c418a86-1996-4239-924c-ac24868ad415}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1732460808842,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..jUpdate...3,"startTim..`773928...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..eexpiry....778719,"originA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1570
Entropy (8bit):	6.339390907232971
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSRLXnIrY/pnxQwRcWT5sKmgb0v3eHVpjO+6amhujJwO2c0TiVm0BtT:GUpOxM5nRcoegi3erjx64Jwc3zBtT
MD5:	6A74390091FEAA2DE0CF3743DE67A93E
SHA1:	9D9F6896F8A5834485D9D73FEC5CD3BDB158939D
SHA-256:	40CF221A0978BF2368953322EA21E8D9F029C1F6989D1B148CD3C2369A901611
SHA-512:	2CF9392C64F1819D474B798BAD9B0E5A646C449869C9BFFE134E1CCC14D27616BD3CF207337D94743A75082AEBC4344AD79788FBD9CD92D9C702982F4B9F1606
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{1c418a86-1996-4239-924c-ac24868ad415}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1732460808842,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..jUpdate...3,"startTim..`773928...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..eexpiry....778719,"originA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1570
Entropy (8bit):	6.339390907232971
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSRLXnIrY/pnxQwRcWT5sKmgb0v3eHVpjO+6amhujJwO2c0TiVm0BtT:GUpOxM5nRcoegi3erjx64Jwc3zBtT
MD5:	6A74390091FEAA2DE0CF3743DE67A93E
SHA1:	9D9F6896F8A5834485D9D73FEC5CD3BDB158939D
SHA-256:	40CF221A0978BF2368953322EA21E8D9F029C1F6989D1B148CD3C2369A901611
SHA-512:	2CF9392C64F1819D474B798BAD9B0E5A646C449869C9BFFE134E1CCC14D27616BD3CF207337D94743A75082AEBC4344AD79788FBD9CD92D9C702982F4B9F1606
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{1c418a86-1996-4239-924c-ac24868ad415}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1732460808842,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..jUpdate...3,"startTim..`773928...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..eexpiry....778719,"originA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.029872462849043
Encrypted:	false
SSDEEP:	96:yc2MTEr5/lLmI2Ac1zzcxvbw6Kkgrc2Rn27:ZTEr5NX0z3DhRe
MD5:	27B99CFCB708A6084325EB54D6069992
SHA1:	E2744AF5414C4568535F67BA5E49B5690E4D02C2
SHA-256:	BD37B2F87D9CEFFF013E9BEC446954EBCD6EFAC43D70E1210BADAEB852EC4F57
SHA-512:	7F116FE00B2F98E5CEAF78EB5700D16C2CACCE132E1531685CEF2066D1825C09D37EF29F5D43C2D9B52A97A5540B5A55E38A6B6F18B6CABC39B644522E483E80
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-11-24T15:06:23.448Z","profileAgeCreated":1696426830133,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.029872462849043
Encrypted:	false
SSDEEP:	96:yc2MTEr5/lLmI2Ac1zzcxvbw6Kkgrc2Rn27:ZTEr5NX0z3DhRe
MD5:	27B99CFCB708A6084325EB54D6069992
SHA1:	E2744AF5414C4568535F67BA5E49B5690E4D02C2
SHA-256:	BD37B2F87D9CEFFF013E9BEC446954EBCD6EFAC43D70E1210BADAEB852EC4F57
SHA-512:	7F116FE00B2F98E5CEAF78EB5700D16C2CACCE132E1531685CEF2066D1825C09D37EF29F5D43C2D9B52A97A5540B5A55E38A6B6F18B6CABC39B644522E483E80
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-11-24T15:06:23.448Z","profileAgeCreated":1696426830133,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.594314725804723
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	923'136 bytes
MD5:	89dd8a448515dcc941c852ea2f54d652
SHA1:	a303ccebb2201027d7eb6a0353229ee062ad9ec8
SHA256:	3f204d722304997944321470753704bbeedc99ce834daca201c68ab669706efd
SHA512:	5281a92f6ba6dcba38b78f3923ef6c58476b2578f08b4a083ff351466d357e93a92a6bbc8b1213333006188db904d7cfc466da58134d1e31db42e8741427f47a
SSDEEP:	12288:+qDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga6Tb:+qDEvCTbMWu7rQYlBQcBiT6rprG8aKb
TLSH:	43159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13A81D79BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67432BBE [Sun Nov 24 13:35:58 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F3E946E45E3h
jmp 00007F3E946E3EEFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F3E946E40CDh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F3E946E409Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F3E946E6C8Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F3E946E6CD8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F3E946E6CC1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0xabb0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xdf000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0xabb0	0xac00	f1f9c7eeb125ece9d95b174c799931e8	False	0.38474291424418605	data	5.694360003590478	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xdf000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x1e78	data			1.0014102564102565
RT_GROUP_ICON	0xde630	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xde6a8	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xde6bc	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xde6d0	0x14	data	English	Great Britain	1.25
RT_VERSION	0xde6e4	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xde7c0	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 24, 2024 14:56:16.356475115 CET	49710	443	192.168.2.5	35.190.72.216
Nov 24, 2024 14:56:16.356522083 CET	443	49710	35.190.72.216	192.168.2.5
Nov 24, 2024 14:56:16.357167959 CET	49710	443	192.168.2.5	35.190.72.216
Nov 24, 2024 14:56:16.361751080 CET	49710	443	192.168.2.5	35.190.72.216
Nov 24, 2024 14:56:16.361766100 CET	443	49710	35.190.72.216	192.168.2.5
Nov 24, 2024 14:56:16.750013113 CET	49711	443	192.168.2.5	142.250.181.142
Nov 24, 2024 14:56:16.750040054 CET	443	49711	142.250.181.142	192.168.2.5
Nov 24, 2024 14:56:16.750106096 CET	49711	443	192.168.2.5	142.250.181.142
Nov 24, 2024 14:56:16.751540899 CET	49711	443	192.168.2.5	142.250.181.142
Nov 24, 2024 14:56:16.751555920 CET	443	49711	142.250.181.142	192.168.2.5
Nov 24, 2024 14:56:16.829402924 CET	49712	443	192.168.2.5	142.250.181.142
Nov 24, 2024 14:56:16.829478025 CET	443	49712	142.250.181.142	192.168.2.5
Nov 24, 2024 14:56:16.832102060 CET	49712	443	192.168.2.5	142.250.181.142
Nov 24, 2024 14:56:16.833722115 CET	49712	443	192.168.2.5	142.250.181.142
Nov 24, 2024 14:56:16.833739996 CET	443	49712	142.250.181.142	192.168.2.5
Nov 24, 2024 14:56:17.076910019 CET	49713	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:56:17.197962999 CET	80	49713	34.107.221.82	192.168.2.5
Nov 24, 2024 14:56:17.198048115 CET	49713	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:56:17.198241949 CET	49713	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:56:17.317886114 CET	80	49713	34.107.221.82	192.168.2.5
Nov 24, 2024 14:56:17.586992979 CET	49715	443	192.168.2.5	34.117.188.166
Nov 24, 2024 14:56:17.587038994 CET	443	49715	34.117.188.166	192.168.2.5
Nov 24, 2024 14:56:17.588615894 CET	49716	443	192.168.2.5	34.117.188.166
Nov 24, 2024 14:56:17.588634014 CET	443	49716	34.117.188.166	192.168.2.5
Nov 24, 2024 14:56:17.591182947 CET	49715	443	192.168.2.5	34.117.188.166
Nov 24, 2024 14:56:17.591268063 CET	49716	443	192.168.2.5	34.117.188.166
Nov 24, 2024 14:56:17.592647076 CET	49715	443	192.168.2.5	34.117.188.166
Nov 24, 2024 14:56:17.592669010 CET	443	49715	34.117.188.166	192.168.2.5
Nov 24, 2024 14:56:17.594352961 CET	49716	443	192.168.2.5	34.117.188.166
Nov 24, 2024 14:56:17.594367027 CET	443	49716	34.117.188.166	192.168.2.5
Nov 24, 2024 14:56:17.696751118 CET	443	49710	35.190.72.216	192.168.2.5
Nov 24, 2024 14:56:17.698759079 CET	49710	443	192.168.2.5	35.190.72.216
Nov 24, 2024 14:56:17.706830978 CET	49710	443	192.168.2.5	35.190.72.216
Nov 24, 2024 14:56:17.706845045 CET	443	49710	35.190.72.216	192.168.2.5
Nov 24, 2024 14:56:17.706953049 CET	49710	443	192.168.2.5	35.190.72.216
Nov 24, 2024 14:56:17.707106113 CET	443	49710	35.190.72.216	192.168.2.5
Nov 24, 2024 14:56:17.707370043 CET	49710	443	192.168.2.5	35.190.72.216
Nov 24, 2024 14:56:17.716325045 CET	49717	443	192.168.2.5	35.244.181.201
Nov 24, 2024 14:56:17.716351986 CET	443	49717	35.244.181.201	192.168.2.5
Nov 24, 2024 14:56:17.716494083 CET	49717	443	192.168.2.5	35.244.181.201
Nov 24, 2024 14:56:17.716619968 CET	49717	443	192.168.2.5	35.244.181.201
Nov 24, 2024 14:56:17.716629982 CET	443	49717	35.244.181.201	192.168.2.5
Nov 24, 2024 14:56:18.286773920 CET	80	49713	34.107.221.82	192.168.2.5
Nov 24, 2024 14:56:18.324873924 CET	49718	443	192.168.2.5	34.160.144.191
Nov 24, 2024 14:56:18.324934959 CET	443	49718	34.160.144.191	192.168.2.5
Nov 24, 2024 14:56:18.325860023 CET	49718	443	192.168.2.5	34.160.144.191
Nov 24, 2024 14:56:18.326037884 CET	49718	443	192.168.2.5	34.160.144.191
Nov 24, 2024 14:56:18.326047897 CET	443	49718	34.160.144.191	192.168.2.5
Nov 24, 2024 14:56:18.341454029 CET	49713	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:56:18.489612103 CET	49719	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:56:18.584882975 CET	443	49711	142.250.181.142	192.168.2.5
Nov 24, 2024 14:56:18.584955931 CET	49711	443	192.168.2.5	142.250.181.142
Nov 24, 2024 14:56:18.585911989 CET	443	49711	142.250.181.142	192.168.2.5
Nov 24, 2024 14:56:18.586082935 CET	49711	443	192.168.2.5	142.250.181.142
Nov 24, 2024 14:56:18.590841055 CET	49711	443	192.168.2.5	142.250.181.142
Nov 24, 2024 14:56:18.590850115 CET	443	49711	142.250.181.142	192.168.2.5
Nov 24, 2024 14:56:18.590955973 CET	49711	443	192.168.2.5	142.250.181.142
Nov 24, 2024 14:56:18.591073990 CET	443	49711	142.250.181.142	192.168.2.5
Nov 24, 2024 14:56:18.591129065 CET	49711	443	192.168.2.5	142.250.181.142
Nov 24, 2024 14:56:18.609277964 CET	80	49719	34.107.221.82	192.168.2.5
Nov 24, 2024 14:56:18.609354019 CET	49719	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:56:18.609517097 CET	49719	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:56:18.638782024 CET	443	49712	142.250.181.142	192.168.2.5
Nov 24, 2024 14:56:18.638873100 CET	49712	443	192.168.2.5	142.250.181.142
Nov 24, 2024 14:56:18.639976025 CET	443	49712	142.250.181.142	192.168.2.5
Nov 24, 2024 14:56:18.640034914 CET	49712	443	192.168.2.5	142.250.181.142
Nov 24, 2024 14:56:18.644058943 CET	49712	443	192.168.2.5	142.250.181.142
Nov 24, 2024 14:56:18.644071102 CET	443	49712	142.250.181.142	192.168.2.5
Nov 24, 2024 14:56:18.644172907 CET	49712	443	192.168.2.5	142.250.181.142
Nov 24, 2024 14:56:18.644289017 CET	443	49712	142.250.181.142	192.168.2.5
Nov 24, 2024 14:56:18.644512892 CET	49720	443	192.168.2.5	142.250.181.142
Nov 24, 2024 14:56:18.644557953 CET	443	49720	142.250.181.142	192.168.2.5
Nov 24, 2024 14:56:18.657967091 CET	49712	443	192.168.2.5	142.250.181.142
Nov 24, 2024 14:56:18.658133984 CET	49720	443	192.168.2.5	142.250.181.142
Nov 24, 2024 14:56:18.659399986 CET	49720	443	192.168.2.5	142.250.181.142
Nov 24, 2024 14:56:18.659414053 CET	443	49720	142.250.181.142	192.168.2.5
Nov 24, 2024 14:56:18.729815006 CET	80	49719	34.107.221.82	192.168.2.5
Nov 24, 2024 14:56:18.826637983 CET	443	49716	34.117.188.166	192.168.2.5
Nov 24, 2024 14:56:18.826710939 CET	49716	443	192.168.2.5	34.117.188.166
Nov 24, 2024 14:56:18.831723928 CET	49716	443	192.168.2.5	34.117.188.166
Nov 24, 2024 14:56:18.831732988 CET	443	49716	34.117.188.166	192.168.2.5
Nov 24, 2024 14:56:18.831876040 CET	49716	443	192.168.2.5	34.117.188.166
Nov 24, 2024 14:56:18.832024097 CET	443	49716	34.117.188.166	192.168.2.5
Nov 24, 2024 14:56:18.832338095 CET	49721	443	192.168.2.5	34.117.188.166
Nov 24, 2024 14:56:18.832364082 CET	443	49721	34.117.188.166	192.168.2.5
Nov 24, 2024 14:56:18.833482981 CET	49716	443	192.168.2.5	34.117.188.166
Nov 24, 2024 14:56:18.833518982 CET	49721	443	192.168.2.5	34.117.188.166
Nov 24, 2024 14:56:18.834887028 CET	49721	443	192.168.2.5	34.117.188.166
Nov 24, 2024 14:56:18.834909916 CET	443	49721	34.117.188.166	192.168.2.5
Nov 24, 2024 14:56:18.916707993 CET	443	49715	34.117.188.166	192.168.2.5
Nov 24, 2024 14:56:18.916994095 CET	49715	443	192.168.2.5	34.117.188.166
Nov 24, 2024 14:56:18.920969963 CET	49715	443	192.168.2.5	34.117.188.166
Nov 24, 2024 14:56:18.920979023 CET	443	49715	34.117.188.166	192.168.2.5
Nov 24, 2024 14:56:18.921049118 CET	49715	443	192.168.2.5	34.117.188.166
Nov 24, 2024 14:56:18.921284914 CET	443	49715	34.117.188.166	192.168.2.5
Nov 24, 2024 14:56:18.923202038 CET	49715	443	192.168.2.5	34.117.188.166
Nov 24, 2024 14:56:18.934525967 CET	443	49717	35.244.181.201	192.168.2.5
Nov 24, 2024 14:56:18.936078072 CET	49717	443	192.168.2.5	35.244.181.201
Nov 24, 2024 14:56:18.939368010 CET	49717	443	192.168.2.5	35.244.181.201
Nov 24, 2024 14:56:18.939379930 CET	443	49717	35.244.181.201	192.168.2.5
Nov 24, 2024 14:56:18.940001965 CET	443	49717	35.244.181.201	192.168.2.5
Nov 24, 2024 14:56:18.942354918 CET	49717	443	192.168.2.5	35.244.181.201
Nov 24, 2024 14:56:18.942440033 CET	49717	443	192.168.2.5	35.244.181.201
Nov 24, 2024 14:56:18.942542076 CET	443	49717	35.244.181.201	192.168.2.5
Nov 24, 2024 14:56:18.942598104 CET	49717	443	192.168.2.5	35.244.181.201
Nov 24, 2024 14:56:19.003542900 CET	49713	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:56:19.126257896 CET	80	49713	34.107.221.82	192.168.2.5
Nov 24, 2024 14:56:19.126318932 CET	49713	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:56:19.384908915 CET	49722	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:56:19.504415035 CET	80	49722	34.107.221.82	192.168.2.5
Nov 24, 2024 14:56:19.507205009 CET	49722	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:56:19.507388115 CET	49722	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:56:19.591185093 CET	443	49718	34.160.144.191	192.168.2.5
Nov 24, 2024 14:56:19.591953993 CET	49718	443	192.168.2.5	34.160.144.191
Nov 24, 2024 14:56:19.600934982 CET	49718	443	192.168.2.5	34.160.144.191
Nov 24, 2024 14:56:19.600970984 CET	443	49718	34.160.144.191	192.168.2.5
Nov 24, 2024 14:56:19.601463079 CET	443	49718	34.160.144.191	192.168.2.5
Nov 24, 2024 14:56:19.603327990 CET	49718	443	192.168.2.5	34.160.144.191
Nov 24, 2024 14:56:19.603420973 CET	49718	443	192.168.2.5	34.160.144.191
Nov 24, 2024 14:56:19.603549957 CET	443	49718	34.160.144.191	192.168.2.5
Nov 24, 2024 14:56:19.606699944 CET	49718	443	192.168.2.5	34.160.144.191
Nov 24, 2024 14:56:19.606699944 CET	49718	443	192.168.2.5	34.160.144.191
Nov 24, 2024 14:56:19.626852989 CET	80	49722	34.107.221.82	192.168.2.5
Nov 24, 2024 14:56:19.798361063 CET	80	49719	34.107.221.82	192.168.2.5
Nov 24, 2024 14:56:19.800143003 CET	49719	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:56:19.920073986 CET	80	49719	34.107.221.82	192.168.2.5
Nov 24, 2024 14:56:19.920267105 CET	49719	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:56:19.981993914 CET	49725	443	192.168.2.5	34.107.243.93
Nov 24, 2024 14:56:19.982036114 CET	443	49725	34.107.243.93	192.168.2.5
Nov 24, 2024 14:56:19.987179995 CET	49725	443	192.168.2.5	34.107.243.93
Nov 24, 2024 14:56:19.988629103 CET	49725	443	192.168.2.5	34.107.243.93
Nov 24, 2024 14:56:19.988643885 CET	443	49725	34.107.243.93	192.168.2.5
Nov 24, 2024 14:56:20.041270971 CET	49726	443	192.168.2.5	34.120.208.123
Nov 24, 2024 14:56:20.041281939 CET	443	49726	34.120.208.123	192.168.2.5
Nov 24, 2024 14:56:20.042606115 CET	49726	443	192.168.2.5	34.120.208.123
Nov 24, 2024 14:56:20.053555965 CET	49726	443	192.168.2.5	34.120.208.123
Nov 24, 2024 14:56:20.053567886 CET	443	49726	34.120.208.123	192.168.2.5
Nov 24, 2024 14:56:20.054209948 CET	443	49721	34.117.188.166	192.168.2.5
Nov 24, 2024 14:56:20.056662083 CET	49721	443	192.168.2.5	34.117.188.166
Nov 24, 2024 14:56:20.063760042 CET	49721	443	192.168.2.5	34.117.188.166
Nov 24, 2024 14:56:20.063772917 CET	443	49721	34.117.188.166	192.168.2.5
Nov 24, 2024 14:56:20.063851118 CET	49721	443	192.168.2.5	34.117.188.166
Nov 24, 2024 14:56:20.064052105 CET	443	49721	34.117.188.166	192.168.2.5
Nov 24, 2024 14:56:20.064626932 CET	49721	443	192.168.2.5	34.117.188.166
Nov 24, 2024 14:56:20.155508995 CET	49727	443	192.168.2.5	34.149.100.209
Nov 24, 2024 14:56:20.155529022 CET	443	49727	34.149.100.209	192.168.2.5
Nov 24, 2024 14:56:20.156286955 CET	49728	443	192.168.2.5	35.244.181.201
Nov 24, 2024 14:56:20.156343937 CET	443	49728	35.244.181.201	192.168.2.5
Nov 24, 2024 14:56:20.157856941 CET	49727	443	192.168.2.5	34.149.100.209
Nov 24, 2024 14:56:20.158111095 CET	49728	443	192.168.2.5	35.244.181.201
Nov 24, 2024 14:56:20.159218073 CET	49727	443	192.168.2.5	34.149.100.209
Nov 24, 2024 14:56:20.159231901 CET	443	49727	34.149.100.209	192.168.2.5
Nov 24, 2024 14:56:20.159452915 CET	49728	443	192.168.2.5	35.244.181.201
Nov 24, 2024 14:56:20.159472942 CET	443	49728	35.244.181.201	192.168.2.5
Nov 24, 2024 14:56:20.190898895 CET	49729	443	192.168.2.5	34.117.188.166
Nov 24, 2024 14:56:20.190929890 CET	443	49729	34.117.188.166	192.168.2.5
Nov 24, 2024 14:56:20.191469908 CET	49729	443	192.168.2.5	34.117.188.166
Nov 24, 2024 14:56:20.192889929 CET	49729	443	192.168.2.5	34.117.188.166
Nov 24, 2024 14:56:20.192903996 CET	443	49729	34.117.188.166	192.168.2.5
Nov 24, 2024 14:56:20.443202972 CET	443	49720	142.250.181.142	192.168.2.5
Nov 24, 2024 14:56:20.443218946 CET	443	49720	142.250.181.142	192.168.2.5
Nov 24, 2024 14:56:20.443281889 CET	49720	443	192.168.2.5	142.250.181.142
Nov 24, 2024 14:56:20.443958998 CET	443	49720	142.250.181.142	192.168.2.5
Nov 24, 2024 14:56:20.444015980 CET	49720	443	192.168.2.5	142.250.181.142
Nov 24, 2024 14:56:20.480138063 CET	49720	443	192.168.2.5	142.250.181.142
Nov 24, 2024 14:56:20.480158091 CET	443	49720	142.250.181.142	192.168.2.5
Nov 24, 2024 14:56:20.480215073 CET	49720	443	192.168.2.5	142.250.181.142
Nov 24, 2024 14:56:20.480340958 CET	443	49720	142.250.181.142	192.168.2.5
Nov 24, 2024 14:56:20.481116056 CET	49720	443	192.168.2.5	142.250.181.142
Nov 24, 2024 14:56:20.685794115 CET	80	49722	34.107.221.82	192.168.2.5
Nov 24, 2024 14:56:20.743012905 CET	49722	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:56:20.879515886 CET	49730	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:56:20.999512911 CET	80	49730	34.107.221.82	192.168.2.5
Nov 24, 2024 14:56:20.999625921 CET	49730	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:56:20.999814987 CET	49730	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:56:21.119235992 CET	80	49730	34.107.221.82	192.168.2.5
Nov 24, 2024 14:56:21.209152937 CET	443	49725	34.107.243.93	192.168.2.5
Nov 24, 2024 14:56:21.209261894 CET	49725	443	192.168.2.5	34.107.243.93
Nov 24, 2024 14:56:21.320662975 CET	443	49726	34.120.208.123	192.168.2.5
Nov 24, 2024 14:56:21.320749998 CET	49726	443	192.168.2.5	34.120.208.123
Nov 24, 2024 14:56:21.363471985 CET	49731	443	192.168.2.5	34.149.100.209
Nov 24, 2024 14:56:21.363531113 CET	443	49731	34.149.100.209	192.168.2.5
Nov 24, 2024 14:56:21.365257025 CET	49725	443	192.168.2.5	34.107.243.93
Nov 24, 2024 14:56:21.365349054 CET	443	49725	34.107.243.93	192.168.2.5
Nov 24, 2024 14:56:21.365386009 CET	49725	443	192.168.2.5	34.107.243.93
Nov 24, 2024 14:56:21.365650892 CET	443	49725	34.107.243.93	192.168.2.5
Nov 24, 2024 14:56:21.366631985 CET	49726	443	192.168.2.5	34.120.208.123
Nov 24, 2024 14:56:21.366662979 CET	443	49726	34.120.208.123	192.168.2.5
Nov 24, 2024 14:56:21.366692066 CET	49726	443	192.168.2.5	34.120.208.123
Nov 24, 2024 14:56:21.366863012 CET	49725	443	192.168.2.5	34.107.243.93
Nov 24, 2024 14:56:21.366868973 CET	49731	443	192.168.2.5	34.149.100.209
Nov 24, 2024 14:56:21.366944075 CET	443	49726	34.120.208.123	192.168.2.5
Nov 24, 2024 14:56:21.368355989 CET	49731	443	192.168.2.5	34.149.100.209
Nov 24, 2024 14:56:21.368388891 CET	443	49731	34.149.100.209	192.168.2.5
Nov 24, 2024 14:56:21.368472099 CET	49726	443	192.168.2.5	34.120.208.123
Nov 24, 2024 14:56:21.375504017 CET	443	49728	35.244.181.201	192.168.2.5
Nov 24, 2024 14:56:21.375598907 CET	49728	443	192.168.2.5	35.244.181.201
Nov 24, 2024 14:56:21.452739000 CET	49728	443	192.168.2.5	35.244.181.201
Nov 24, 2024 14:56:21.452766895 CET	443	49728	35.244.181.201	192.168.2.5
Nov 24, 2024 14:56:21.453167915 CET	443	49728	35.244.181.201	192.168.2.5
Nov 24, 2024 14:56:21.457241058 CET	443	49729	34.117.188.166	192.168.2.5
Nov 24, 2024 14:56:21.457321882 CET	49729	443	192.168.2.5	34.117.188.166
Nov 24, 2024 14:56:21.473159075 CET	443	49727	34.149.100.209	192.168.2.5
Nov 24, 2024 14:56:21.473239899 CET	49727	443	192.168.2.5	34.149.100.209
Nov 24, 2024 14:56:21.498334885 CET	49728	443	192.168.2.5	35.244.181.201
Nov 24, 2024 14:56:21.563839912 CET	49722	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:56:21.568331003 CET	49729	443	192.168.2.5	34.117.188.166
Nov 24, 2024 14:56:21.568356037 CET	443	49729	34.117.188.166	192.168.2.5
Nov 24, 2024 14:56:21.568404913 CET	49729	443	192.168.2.5	34.117.188.166
Nov 24, 2024 14:56:21.568640947 CET	443	49729	34.117.188.166	192.168.2.5
Nov 24, 2024 14:56:21.570748091 CET	49728	443	192.168.2.5	35.244.181.201
Nov 24, 2024 14:56:21.570945978 CET	49728	443	192.168.2.5	35.244.181.201
Nov 24, 2024 14:56:21.570993900 CET	443	49728	35.244.181.201	192.168.2.5
Nov 24, 2024 14:56:21.578107119 CET	49727	443	192.168.2.5	34.149.100.209
Nov 24, 2024 14:56:21.578124046 CET	443	49727	34.149.100.209	192.168.2.5
Nov 24, 2024 14:56:21.578164101 CET	49727	443	192.168.2.5	34.149.100.209
Nov 24, 2024 14:56:21.578452110 CET	443	49727	34.149.100.209	192.168.2.5
Nov 24, 2024 14:56:21.578660011 CET	49729	443	192.168.2.5	34.117.188.166
Nov 24, 2024 14:56:21.578660011 CET	49728	443	192.168.2.5	35.244.181.201
Nov 24, 2024 14:56:21.578675985 CET	49727	443	192.168.2.5	34.149.100.209
Nov 24, 2024 14:56:21.683331013 CET	80	49722	34.107.221.82	192.168.2.5
Nov 24, 2024 14:56:21.706835032 CET	49732	443	192.168.2.5	34.120.208.123
Nov 24, 2024 14:56:21.706899881 CET	443	49732	34.120.208.123	192.168.2.5
Nov 24, 2024 14:56:21.706986904 CET	49732	443	192.168.2.5	34.120.208.123
Nov 24, 2024 14:56:21.708367109 CET	49732	443	192.168.2.5	34.120.208.123
Nov 24, 2024 14:56:21.708401918 CET	443	49732	34.120.208.123	192.168.2.5
Nov 24, 2024 14:56:21.896699905 CET	80	49722	34.107.221.82	192.168.2.5
Nov 24, 2024 14:56:21.946392059 CET	49722	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:56:22.125194073 CET	80	49730	34.107.221.82	192.168.2.5
Nov 24, 2024 14:56:22.184731007 CET	49730	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:56:22.644001007 CET	443	49731	34.149.100.209	192.168.2.5
Nov 24, 2024 14:56:22.645958900 CET	49731	443	192.168.2.5	34.149.100.209
Nov 24, 2024 14:56:22.662309885 CET	49731	443	192.168.2.5	34.149.100.209
Nov 24, 2024 14:56:22.662322998 CET	443	49731	34.149.100.209	192.168.2.5
Nov 24, 2024 14:56:22.662429094 CET	49731	443	192.168.2.5	34.149.100.209
Nov 24, 2024 14:56:22.662506104 CET	443	49731	34.149.100.209	192.168.2.5
Nov 24, 2024 14:56:22.662636042 CET	49731	443	192.168.2.5	34.149.100.209
Nov 24, 2024 14:56:22.662811041 CET	49735	443	192.168.2.5	34.149.100.209
Nov 24, 2024 14:56:22.662857056 CET	443	49735	34.149.100.209	192.168.2.5
Nov 24, 2024 14:56:22.663043022 CET	49735	443	192.168.2.5	34.149.100.209
Nov 24, 2024 14:56:22.664410114 CET	49735	443	192.168.2.5	34.149.100.209
Nov 24, 2024 14:56:22.664423943 CET	443	49735	34.149.100.209	192.168.2.5
Nov 24, 2024 14:56:23.028480053 CET	443	49732	34.120.208.123	192.168.2.5
Nov 24, 2024 14:56:23.035332918 CET	443	49732	34.120.208.123	192.168.2.5
Nov 24, 2024 14:56:23.036581993 CET	49732	443	192.168.2.5	34.120.208.123
Nov 24, 2024 14:56:23.045783997 CET	49732	443	192.168.2.5	34.120.208.123
Nov 24, 2024 14:56:23.045792103 CET	443	49732	34.120.208.123	192.168.2.5
Nov 24, 2024 14:56:23.045880079 CET	49732	443	192.168.2.5	34.120.208.123
Nov 24, 2024 14:56:23.045922041 CET	443	49732	34.120.208.123	192.168.2.5
Nov 24, 2024 14:56:23.046021938 CET	49732	443	192.168.2.5	34.120.208.123
Nov 24, 2024 14:56:24.034077883 CET	443	49735	34.149.100.209	192.168.2.5
Nov 24, 2024 14:56:24.034388065 CET	49735	443	192.168.2.5	34.149.100.209
Nov 24, 2024 14:56:24.039227009 CET	49735	443	192.168.2.5	34.149.100.209
Nov 24, 2024 14:56:24.039241076 CET	443	49735	34.149.100.209	192.168.2.5
Nov 24, 2024 14:56:24.039302111 CET	49735	443	192.168.2.5	34.149.100.209
Nov 24, 2024 14:56:24.039403915 CET	443	49735	34.149.100.209	192.168.2.5
Nov 24, 2024 14:56:24.039480925 CET	49735	443	192.168.2.5	34.149.100.209
Nov 24, 2024 14:56:24.321650028 CET	49730	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:56:24.322416067 CET	49722	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:56:24.323883057 CET	49736	443	192.168.2.5	34.120.208.123
Nov 24, 2024 14:56:24.323926926 CET	443	49736	34.120.208.123	192.168.2.5
Nov 24, 2024 14:56:24.323971033 CET	49737	443	192.168.2.5	34.120.208.123
Nov 24, 2024 14:56:24.323998928 CET	443	49737	34.120.208.123	192.168.2.5
Nov 24, 2024 14:56:24.324358940 CET	49736	443	192.168.2.5	34.120.208.123
Nov 24, 2024 14:56:24.324610949 CET	49737	443	192.168.2.5	34.120.208.123
Nov 24, 2024 14:56:24.366579056 CET	49738	443	192.168.2.5	34.120.208.123
Nov 24, 2024 14:56:24.366620064 CET	443	49738	34.120.208.123	192.168.2.5
Nov 24, 2024 14:56:24.366792917 CET	49737	443	192.168.2.5	34.120.208.123
Nov 24, 2024 14:56:24.366813898 CET	443	49737	34.120.208.123	192.168.2.5
Nov 24, 2024 14:56:24.366880894 CET	49736	443	192.168.2.5	34.120.208.123
Nov 24, 2024 14:56:24.366897106 CET	443	49736	34.120.208.123	192.168.2.5
Nov 24, 2024 14:56:24.367161989 CET	49739	443	192.168.2.5	34.120.208.123
Nov 24, 2024 14:56:24.367182970 CET	443	49739	34.120.208.123	192.168.2.5
Nov 24, 2024 14:56:24.367235899 CET	49738	443	192.168.2.5	34.120.208.123
Nov 24, 2024 14:56:24.367361069 CET	49739	443	192.168.2.5	34.120.208.123
Nov 24, 2024 14:56:24.368808985 CET	49738	443	192.168.2.5	34.120.208.123
Nov 24, 2024 14:56:24.368812084 CET	49739	443	192.168.2.5	34.120.208.123
Nov 24, 2024 14:56:24.368818045 CET	443	49738	34.120.208.123	192.168.2.5
Nov 24, 2024 14:56:24.368828058 CET	443	49739	34.120.208.123	192.168.2.5
Nov 24, 2024 14:56:24.369081974 CET	49740	443	192.168.2.5	34.120.208.123
Nov 24, 2024 14:56:24.369113922 CET	443	49740	34.120.208.123	192.168.2.5
Nov 24, 2024 14:56:24.369297028 CET	49740	443	192.168.2.5	34.120.208.123
Nov 24, 2024 14:56:24.369477034 CET	49740	443	192.168.2.5	34.120.208.123
Nov 24, 2024 14:56:24.369492054 CET	443	49740	34.120.208.123	192.168.2.5
Nov 24, 2024 14:56:24.442212105 CET	80	49730	34.107.221.82	192.168.2.5
Nov 24, 2024 14:56:24.443053961 CET	80	49722	34.107.221.82	192.168.2.5
Nov 24, 2024 14:56:24.687566042 CET	80	49730	34.107.221.82	192.168.2.5
Nov 24, 2024 14:56:24.699004889 CET	80	49722	34.107.221.82	192.168.2.5
Nov 24, 2024 14:56:24.743475914 CET	49730	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:56:24.743561983 CET	49722	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:56:25.581176996 CET	443	49738	34.120.208.123	192.168.2.5
Nov 24, 2024 14:56:25.581274986 CET	49738	443	192.168.2.5	34.120.208.123
Nov 24, 2024 14:56:25.581453085 CET	443	49740	34.120.208.123	192.168.2.5
Nov 24, 2024 14:56:25.581633091 CET	49740	443	192.168.2.5	34.120.208.123
Nov 24, 2024 14:56:25.585788965 CET	49740	443	192.168.2.5	34.120.208.123
Nov 24, 2024 14:56:25.585798979 CET	443	49740	34.120.208.123	192.168.2.5
Nov 24, 2024 14:56:25.586141109 CET	443	49740	34.120.208.123	192.168.2.5
Nov 24, 2024 14:56:25.589471102 CET	49738	443	192.168.2.5	34.120.208.123
Nov 24, 2024 14:56:25.589481115 CET	443	49738	34.120.208.123	192.168.2.5
Nov 24, 2024 14:56:25.589590073 CET	49738	443	192.168.2.5	34.120.208.123
Nov 24, 2024 14:56:25.589689970 CET	443	49738	34.120.208.123	192.168.2.5
Nov 24, 2024 14:56:25.589696884 CET	49740	443	192.168.2.5	34.120.208.123
Nov 24, 2024 14:56:25.589759111 CET	49740	443	192.168.2.5	34.120.208.123
Nov 24, 2024 14:56:25.589884043 CET	443	49740	34.120.208.123	192.168.2.5
Nov 24, 2024 14:56:25.589993000 CET	49738	443	192.168.2.5	34.120.208.123
Nov 24, 2024 14:56:25.590015888 CET	49740	443	192.168.2.5	34.120.208.123
Nov 24, 2024 14:56:25.672317982 CET	443	49737	34.120.208.123	192.168.2.5
Nov 24, 2024 14:56:25.672436953 CET	49737	443	192.168.2.5	34.120.208.123
Nov 24, 2024 14:56:25.673423052 CET	443	49736	34.120.208.123	192.168.2.5
Nov 24, 2024 14:56:25.673480988 CET	49736	443	192.168.2.5	34.120.208.123
Nov 24, 2024 14:56:25.674073935 CET	443	49739	34.120.208.123	192.168.2.5
Nov 24, 2024 14:56:25.674248934 CET	49739	443	192.168.2.5	34.120.208.123
Nov 24, 2024 14:56:26.398204088 CET	49737	443	192.168.2.5	34.120.208.123
Nov 24, 2024 14:56:26.398224115 CET	443	49737	34.120.208.123	192.168.2.5
Nov 24, 2024 14:56:26.398586035 CET	443	49737	34.120.208.123	192.168.2.5
Nov 24, 2024 14:56:26.400496006 CET	49736	443	192.168.2.5	34.120.208.123
Nov 24, 2024 14:56:26.400515079 CET	443	49736	34.120.208.123	192.168.2.5
Nov 24, 2024 14:56:26.400953054 CET	443	49736	34.120.208.123	192.168.2.5
Nov 24, 2024 14:56:26.402791023 CET	49739	443	192.168.2.5	34.120.208.123
Nov 24, 2024 14:56:26.402811050 CET	443	49739	34.120.208.123	192.168.2.5
Nov 24, 2024 14:56:26.403208017 CET	443	49739	34.120.208.123	192.168.2.5
Nov 24, 2024 14:56:26.407778025 CET	49737	443	192.168.2.5	34.120.208.123
Nov 24, 2024 14:56:26.407866955 CET	49737	443	192.168.2.5	34.120.208.123
Nov 24, 2024 14:56:26.407988071 CET	49736	443	192.168.2.5	34.120.208.123
Nov 24, 2024 14:56:26.407989979 CET	443	49737	34.120.208.123	192.168.2.5
Nov 24, 2024 14:56:26.408046961 CET	49736	443	192.168.2.5	34.120.208.123
Nov 24, 2024 14:56:26.408076048 CET	49737	443	192.168.2.5	34.120.208.123
Nov 24, 2024 14:56:26.408076048 CET	49739	443	192.168.2.5	34.120.208.123
Nov 24, 2024 14:56:26.408114910 CET	49739	443	192.168.2.5	34.120.208.123
Nov 24, 2024 14:56:26.408193111 CET	443	49736	34.120.208.123	192.168.2.5
Nov 24, 2024 14:56:26.408302069 CET	443	49739	34.120.208.123	192.168.2.5
Nov 24, 2024 14:56:26.408329964 CET	49736	443	192.168.2.5	34.120.208.123
Nov 24, 2024 14:56:26.408360958 CET	49739	443	192.168.2.5	34.120.208.123
Nov 24, 2024 14:56:29.951852083 CET	49730	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:56:29.953366041 CET	49722	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:56:30.072079897 CET	80	49730	34.107.221.82	192.168.2.5
Nov 24, 2024 14:56:30.074126005 CET	80	49722	34.107.221.82	192.168.2.5
Nov 24, 2024 14:56:30.267282009 CET	80	49730	34.107.221.82	192.168.2.5
Nov 24, 2024 14:56:30.287827969 CET	80	49722	34.107.221.82	192.168.2.5
Nov 24, 2024 14:56:30.314757109 CET	49730	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:56:30.330385923 CET	49722	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:56:30.802875996 CET	49759	443	192.168.2.5	34.107.243.93
Nov 24, 2024 14:56:30.802910089 CET	443	49759	34.107.243.93	192.168.2.5
Nov 24, 2024 14:56:30.807375908 CET	49759	443	192.168.2.5	34.107.243.93
Nov 24, 2024 14:56:30.808865070 CET	49759	443	192.168.2.5	34.107.243.93
Nov 24, 2024 14:56:30.808883905 CET	443	49759	34.107.243.93	192.168.2.5
Nov 24, 2024 14:56:31.182020903 CET	49730	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:56:31.302905083 CET	80	49730	34.107.221.82	192.168.2.5
Nov 24, 2024 14:56:31.496902943 CET	80	49730	34.107.221.82	192.168.2.5
Nov 24, 2024 14:56:31.549495935 CET	49730	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:56:32.096118927 CET	443	49759	34.107.243.93	192.168.2.5
Nov 24, 2024 14:56:32.096206903 CET	49759	443	192.168.2.5	34.107.243.93
Nov 24, 2024 14:56:32.615071058 CET	49759	443	192.168.2.5	34.107.243.93
Nov 24, 2024 14:56:32.615101099 CET	443	49759	34.107.243.93	192.168.2.5
Nov 24, 2024 14:56:32.615137100 CET	49759	443	192.168.2.5	34.107.243.93
Nov 24, 2024 14:56:32.615663052 CET	443	49759	34.107.243.93	192.168.2.5
Nov 24, 2024 14:56:32.615741968 CET	49759	443	192.168.2.5	34.107.243.93
Nov 24, 2024 14:56:33.753827095 CET	49722	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:56:33.873434067 CET	80	49722	34.107.221.82	192.168.2.5
Nov 24, 2024 14:56:34.086703062 CET	80	49722	34.107.221.82	192.168.2.5
Nov 24, 2024 14:56:34.141371965 CET	49722	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:56:34.515882015 CET	49730	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:56:34.635401964 CET	80	49730	34.107.221.82	192.168.2.5
Nov 24, 2024 14:56:34.830687046 CET	80	49730	34.107.221.82	192.168.2.5
Nov 24, 2024 14:56:34.874614954 CET	49730	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:56:43.489124060 CET	49792	443	192.168.2.5	34.107.243.93
Nov 24, 2024 14:56:43.489165068 CET	443	49792	34.107.243.93	192.168.2.5
Nov 24, 2024 14:56:43.489387035 CET	49792	443	192.168.2.5	34.107.243.93
Nov 24, 2024 14:56:43.490808964 CET	49792	443	192.168.2.5	34.107.243.93
Nov 24, 2024 14:56:43.490840912 CET	443	49792	34.107.243.93	192.168.2.5
Nov 24, 2024 14:56:44.101352930 CET	49722	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:56:44.261034012 CET	80	49722	34.107.221.82	192.168.2.5
Nov 24, 2024 14:56:44.627063990 CET	49794	443	192.168.2.5	35.244.181.201
Nov 24, 2024 14:56:44.627131939 CET	443	49794	35.244.181.201	192.168.2.5
Nov 24, 2024 14:56:44.633088112 CET	49794	443	192.168.2.5	35.244.181.201
Nov 24, 2024 14:56:44.633248091 CET	49794	443	192.168.2.5	35.244.181.201
Nov 24, 2024 14:56:44.633264065 CET	443	49794	35.244.181.201	192.168.2.5
Nov 24, 2024 14:56:44.656049967 CET	49795	443	192.168.2.5	34.149.100.209
Nov 24, 2024 14:56:44.656100035 CET	443	49795	34.149.100.209	192.168.2.5
Nov 24, 2024 14:56:44.657030106 CET	49795	443	192.168.2.5	34.149.100.209
Nov 24, 2024 14:56:44.657191038 CET	49795	443	192.168.2.5	34.149.100.209
Nov 24, 2024 14:56:44.657201052 CET	443	49795	34.149.100.209	192.168.2.5
Nov 24, 2024 14:56:44.724231005 CET	49796	443	192.168.2.5	35.190.72.216
Nov 24, 2024 14:56:44.724283934 CET	443	49796	35.190.72.216	192.168.2.5
Nov 24, 2024 14:56:44.734467983 CET	49796	443	192.168.2.5	35.190.72.216
Nov 24, 2024 14:56:44.743386984 CET	49796	443	192.168.2.5	35.190.72.216
Nov 24, 2024 14:56:44.743405104 CET	443	49796	35.190.72.216	192.168.2.5
Nov 24, 2024 14:56:44.752008915 CET	443	49792	34.107.243.93	192.168.2.5
Nov 24, 2024 14:56:44.756637096 CET	49792	443	192.168.2.5	34.107.243.93
Nov 24, 2024 14:56:44.762938023 CET	49792	443	192.168.2.5	34.107.243.93
Nov 24, 2024 14:56:44.762962103 CET	443	49792	34.107.243.93	192.168.2.5
Nov 24, 2024 14:56:44.763014078 CET	49792	443	192.168.2.5	34.107.243.93
Nov 24, 2024 14:56:44.763184071 CET	443	49792	34.107.243.93	192.168.2.5
Nov 24, 2024 14:56:44.766335011 CET	49792	443	192.168.2.5	34.107.243.93
Nov 24, 2024 14:56:44.768686056 CET	49722	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:56:44.834681034 CET	49730	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:56:44.881259918 CET	49797	443	192.168.2.5	151.101.129.91
Nov 24, 2024 14:56:44.881293058 CET	443	49797	151.101.129.91	192.168.2.5
Nov 24, 2024 14:56:44.881361961 CET	49797	443	192.168.2.5	151.101.129.91
Nov 24, 2024 14:56:44.881479025 CET	49797	443	192.168.2.5	151.101.129.91
Nov 24, 2024 14:56:44.881501913 CET	443	49797	151.101.129.91	192.168.2.5
Nov 24, 2024 14:56:44.889924049 CET	80	49722	34.107.221.82	192.168.2.5
Nov 24, 2024 14:56:44.955538034 CET	80	49730	34.107.221.82	192.168.2.5
Nov 24, 2024 14:56:45.067363977 CET	49798	443	192.168.2.5	35.201.103.21
Nov 24, 2024 14:56:45.067411900 CET	443	49798	35.201.103.21	192.168.2.5
Nov 24, 2024 14:56:45.068929911 CET	49798	443	192.168.2.5	35.201.103.21
Nov 24, 2024 14:56:45.070333958 CET	49798	443	192.168.2.5	35.201.103.21
Nov 24, 2024 14:56:45.070353985 CET	443	49798	35.201.103.21	192.168.2.5
Nov 24, 2024 14:56:45.104084969 CET	80	49722	34.107.221.82	192.168.2.5
Nov 24, 2024 14:56:45.107161045 CET	49730	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:56:45.157706022 CET	49722	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:56:45.232652903 CET	80	49730	34.107.221.82	192.168.2.5
Nov 24, 2024 14:56:45.428308010 CET	80	49730	34.107.221.82	192.168.2.5
Nov 24, 2024 14:56:45.474205971 CET	49730	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:56:45.871670008 CET	443	49795	34.149.100.209	192.168.2.5
Nov 24, 2024 14:56:45.871746063 CET	49795	443	192.168.2.5	34.149.100.209
Nov 24, 2024 14:56:45.875077963 CET	49795	443	192.168.2.5	34.149.100.209
Nov 24, 2024 14:56:45.875088930 CET	443	49795	34.149.100.209	192.168.2.5
Nov 24, 2024 14:56:45.875320911 CET	443	49795	34.149.100.209	192.168.2.5
Nov 24, 2024 14:56:45.878022909 CET	49795	443	192.168.2.5	34.149.100.209
Nov 24, 2024 14:56:45.878118038 CET	49795	443	192.168.2.5	34.149.100.209
Nov 24, 2024 14:56:45.878148079 CET	443	49795	34.149.100.209	192.168.2.5
Nov 24, 2024 14:56:45.878288031 CET	49795	443	192.168.2.5	34.149.100.209
Nov 24, 2024 14:56:45.881596088 CET	49722	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:56:45.903156042 CET	443	49794	35.244.181.201	192.168.2.5
Nov 24, 2024 14:56:45.903230906 CET	49794	443	192.168.2.5	35.244.181.201
Nov 24, 2024 14:56:45.906269073 CET	49794	443	192.168.2.5	35.244.181.201
Nov 24, 2024 14:56:45.906281948 CET	443	49794	35.244.181.201	192.168.2.5
Nov 24, 2024 14:56:45.906615973 CET	443	49794	35.244.181.201	192.168.2.5
Nov 24, 2024 14:56:45.909029007 CET	49794	443	192.168.2.5	35.244.181.201
Nov 24, 2024 14:56:45.909105062 CET	49794	443	192.168.2.5	35.244.181.201
Nov 24, 2024 14:56:45.909208059 CET	443	49794	35.244.181.201	192.168.2.5
Nov 24, 2024 14:56:45.909729958 CET	49794	443	192.168.2.5	35.244.181.201
Nov 24, 2024 14:56:46.001055956 CET	80	49722	34.107.221.82	192.168.2.5
Nov 24, 2024 14:56:46.003118038 CET	443	49796	35.190.72.216	192.168.2.5
Nov 24, 2024 14:56:46.003148079 CET	443	49796	35.190.72.216	192.168.2.5
Nov 24, 2024 14:56:46.003180027 CET	49796	443	192.168.2.5	35.190.72.216
Nov 24, 2024 14:56:46.006722927 CET	49796	443	192.168.2.5	35.190.72.216
Nov 24, 2024 14:56:46.006752014 CET	443	49796	35.190.72.216	192.168.2.5
Nov 24, 2024 14:56:46.006858110 CET	49796	443	192.168.2.5	35.190.72.216
Nov 24, 2024 14:56:46.006900072 CET	443	49796	35.190.72.216	192.168.2.5
Nov 24, 2024 14:56:46.007936954 CET	49796	443	192.168.2.5	35.190.72.216
Nov 24, 2024 14:56:46.154614925 CET	443	49797	151.101.129.91	192.168.2.5
Nov 24, 2024 14:56:46.154710054 CET	49797	443	192.168.2.5	151.101.129.91
Nov 24, 2024 14:56:46.157695055 CET	49797	443	192.168.2.5	151.101.129.91
Nov 24, 2024 14:56:46.157725096 CET	443	49797	151.101.129.91	192.168.2.5
Nov 24, 2024 14:56:46.158091068 CET	443	49797	151.101.129.91	192.168.2.5
Nov 24, 2024 14:56:46.159751892 CET	49797	443	192.168.2.5	151.101.129.91
Nov 24, 2024 14:56:46.159836054 CET	49797	443	192.168.2.5	151.101.129.91
Nov 24, 2024 14:56:46.159946918 CET	443	49797	151.101.129.91	192.168.2.5
Nov 24, 2024 14:56:46.160599947 CET	49797	443	192.168.2.5	151.101.129.91
Nov 24, 2024 14:56:46.168112040 CET	49804	443	192.168.2.5	35.244.181.201
Nov 24, 2024 14:56:46.168157101 CET	443	49804	35.244.181.201	192.168.2.5
Nov 24, 2024 14:56:46.168248892 CET	49804	443	192.168.2.5	35.244.181.201
Nov 24, 2024 14:56:46.168359041 CET	49804	443	192.168.2.5	35.244.181.201
Nov 24, 2024 14:56:46.168366909 CET	443	49804	35.244.181.201	192.168.2.5
Nov 24, 2024 14:56:46.170181036 CET	49805	443	192.168.2.5	35.244.181.201
Nov 24, 2024 14:56:46.170217991 CET	443	49805	35.244.181.201	192.168.2.5
Nov 24, 2024 14:56:46.170562983 CET	49805	443	192.168.2.5	35.244.181.201
Nov 24, 2024 14:56:46.170658112 CET	49805	443	192.168.2.5	35.244.181.201
Nov 24, 2024 14:56:46.170666933 CET	443	49805	35.244.181.201	192.168.2.5
Nov 24, 2024 14:56:46.172400951 CET	49806	443	192.168.2.5	35.244.181.201
Nov 24, 2024 14:56:46.172410965 CET	443	49806	35.244.181.201	192.168.2.5
Nov 24, 2024 14:56:46.172751904 CET	49806	443	192.168.2.5	35.244.181.201
Nov 24, 2024 14:56:46.172851086 CET	49806	443	192.168.2.5	35.244.181.201
Nov 24, 2024 14:56:46.172858000 CET	443	49806	35.244.181.201	192.168.2.5
Nov 24, 2024 14:56:46.214730024 CET	80	49722	34.107.221.82	192.168.2.5
Nov 24, 2024 14:56:46.217031002 CET	49730	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:56:46.260901928 CET	49722	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:56:46.335640907 CET	443	49798	35.201.103.21	192.168.2.5
Nov 24, 2024 14:56:46.335711956 CET	49798	443	192.168.2.5	35.201.103.21
Nov 24, 2024 14:56:46.336654902 CET	80	49730	34.107.221.82	192.168.2.5
Nov 24, 2024 14:56:46.340100050 CET	49798	443	192.168.2.5	35.201.103.21
Nov 24, 2024 14:56:46.340117931 CET	443	49798	35.201.103.21	192.168.2.5
Nov 24, 2024 14:56:46.340200901 CET	49798	443	192.168.2.5	35.201.103.21
Nov 24, 2024 14:56:46.340325117 CET	443	49798	35.201.103.21	192.168.2.5
Nov 24, 2024 14:56:46.340385914 CET	49798	443	192.168.2.5	35.201.103.21
Nov 24, 2024 14:56:46.343754053 CET	49722	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:56:46.353487015 CET	49807	443	192.168.2.5	34.149.100.209
Nov 24, 2024 14:56:46.353539944 CET	443	49807	34.149.100.209	192.168.2.5
Nov 24, 2024 14:56:46.353847027 CET	49807	443	192.168.2.5	34.149.100.209
Nov 24, 2024 14:56:46.353962898 CET	49807	443	192.168.2.5	34.149.100.209
Nov 24, 2024 14:56:46.353972912 CET	443	49807	34.149.100.209	192.168.2.5
Nov 24, 2024 14:56:46.463479042 CET	80	49722	34.107.221.82	192.168.2.5
Nov 24, 2024 14:56:46.532974958 CET	80	49730	34.107.221.82	192.168.2.5
Nov 24, 2024 14:56:46.577357054 CET	49730	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:56:46.677378893 CET	80	49722	34.107.221.82	192.168.2.5
Nov 24, 2024 14:56:46.680624008 CET	49730	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:56:46.724514961 CET	49722	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:56:46.800163984 CET	80	49730	34.107.221.82	192.168.2.5
Nov 24, 2024 14:56:46.995903969 CET	80	49730	34.107.221.82	192.168.2.5
Nov 24, 2024 14:56:47.036781073 CET	49730	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:56:47.457336903 CET	443	49804	35.244.181.201	192.168.2.5
Nov 24, 2024 14:56:47.457475901 CET	49804	443	192.168.2.5	35.244.181.201
Nov 24, 2024 14:56:47.459981918 CET	49804	443	192.168.2.5	35.244.181.201
Nov 24, 2024 14:56:47.459986925 CET	443	49804	35.244.181.201	192.168.2.5
Nov 24, 2024 14:56:47.460211992 CET	443	49804	35.244.181.201	192.168.2.5
Nov 24, 2024 14:56:47.462270975 CET	49804	443	192.168.2.5	35.244.181.201
Nov 24, 2024 14:56:47.462405920 CET	49804	443	192.168.2.5	35.244.181.201
Nov 24, 2024 14:56:47.462409973 CET	443	49804	35.244.181.201	192.168.2.5
Nov 24, 2024 14:56:47.462419987 CET	443	49804	35.244.181.201	192.168.2.5
Nov 24, 2024 14:56:47.464379072 CET	49804	443	192.168.2.5	35.244.181.201
Nov 24, 2024 14:56:47.464379072 CET	49804	443	192.168.2.5	35.244.181.201
Nov 24, 2024 14:56:47.464508057 CET	49804	443	192.168.2.5	35.244.181.201
Nov 24, 2024 14:56:47.468956947 CET	49722	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:56:47.525899887 CET	443	49806	35.244.181.201	192.168.2.5
Nov 24, 2024 14:56:47.526081085 CET	49806	443	192.168.2.5	35.244.181.201
Nov 24, 2024 14:56:47.528696060 CET	49806	443	192.168.2.5	35.244.181.201
Nov 24, 2024 14:56:47.528700113 CET	443	49806	35.244.181.201	192.168.2.5
Nov 24, 2024 14:56:47.529021025 CET	443	49806	35.244.181.201	192.168.2.5
Nov 24, 2024 14:56:47.530992985 CET	49806	443	192.168.2.5	35.244.181.201
Nov 24, 2024 14:56:47.531028986 CET	49806	443	192.168.2.5	35.244.181.201
Nov 24, 2024 14:56:47.531157017 CET	443	49806	35.244.181.201	192.168.2.5
Nov 24, 2024 14:56:47.535711050 CET	49806	443	192.168.2.5	35.244.181.201
Nov 24, 2024 14:56:47.560067892 CET	443	49805	35.244.181.201	192.168.2.5
Nov 24, 2024 14:56:47.564673901 CET	49805	443	192.168.2.5	35.244.181.201
Nov 24, 2024 14:56:47.568172932 CET	49805	443	192.168.2.5	35.244.181.201
Nov 24, 2024 14:56:47.568185091 CET	443	49805	35.244.181.201	192.168.2.5
Nov 24, 2024 14:56:47.568526030 CET	443	49805	35.244.181.201	192.168.2.5
Nov 24, 2024 14:56:47.571425915 CET	49805	443	192.168.2.5	35.244.181.201
Nov 24, 2024 14:56:47.571497917 CET	49805	443	192.168.2.5	35.244.181.201
Nov 24, 2024 14:56:47.571603060 CET	443	49805	35.244.181.201	192.168.2.5
Nov 24, 2024 14:56:47.572047949 CET	49805	443	192.168.2.5	35.244.181.201
Nov 24, 2024 14:56:47.589005947 CET	80	49722	34.107.221.82	192.168.2.5
Nov 24, 2024 14:56:47.651364088 CET	443	49807	34.149.100.209	192.168.2.5
Nov 24, 2024 14:56:47.651477098 CET	49807	443	192.168.2.5	34.149.100.209
Nov 24, 2024 14:56:47.654098988 CET	49807	443	192.168.2.5	34.149.100.209
Nov 24, 2024 14:56:47.654108047 CET	443	49807	34.149.100.209	192.168.2.5
Nov 24, 2024 14:56:47.654424906 CET	443	49807	34.149.100.209	192.168.2.5
Nov 24, 2024 14:56:47.655950069 CET	49807	443	192.168.2.5	34.149.100.209
Nov 24, 2024 14:56:47.656053066 CET	49807	443	192.168.2.5	34.149.100.209
Nov 24, 2024 14:56:47.656127930 CET	443	49807	34.149.100.209	192.168.2.5
Nov 24, 2024 14:56:47.656824112 CET	49807	443	192.168.2.5	34.149.100.209
Nov 24, 2024 14:56:47.656850100 CET	49807	443	192.168.2.5	34.149.100.209
Nov 24, 2024 14:56:47.803533077 CET	80	49722	34.107.221.82	192.168.2.5
Nov 24, 2024 14:56:47.806408882 CET	49730	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:56:47.865528107 CET	49722	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:56:47.925932884 CET	80	49730	34.107.221.82	192.168.2.5
Nov 24, 2024 14:56:48.123768091 CET	80	49730	34.107.221.82	192.168.2.5
Nov 24, 2024 14:56:48.166404963 CET	49730	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:56:57.465820074 CET	49722	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:56:57.585434914 CET	80	49722	34.107.221.82	192.168.2.5
Nov 24, 2024 14:56:57.798815966 CET	80	49722	34.107.221.82	192.168.2.5
Nov 24, 2024 14:56:57.801728010 CET	49730	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:56:57.852313042 CET	49722	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:56:57.921375036 CET	80	49730	34.107.221.82	192.168.2.5
Nov 24, 2024 14:56:58.118071079 CET	80	49730	34.107.221.82	192.168.2.5
Nov 24, 2024 14:56:58.175359011 CET	49730	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:57:05.763647079 CET	49852	443	192.168.2.5	34.107.243.93
Nov 24, 2024 14:57:05.763674974 CET	443	49852	34.107.243.93	192.168.2.5
Nov 24, 2024 14:57:05.763926029 CET	49852	443	192.168.2.5	34.107.243.93
Nov 24, 2024 14:57:05.765336037 CET	49852	443	192.168.2.5	34.107.243.93
Nov 24, 2024 14:57:05.765364885 CET	443	49852	34.107.243.93	192.168.2.5
Nov 24, 2024 14:57:07.022401094 CET	443	49852	34.107.243.93	192.168.2.5
Nov 24, 2024 14:57:07.022548914 CET	49852	443	192.168.2.5	34.107.243.93
Nov 24, 2024 14:57:07.026942968 CET	49852	443	192.168.2.5	34.107.243.93
Nov 24, 2024 14:57:07.026976109 CET	443	49852	34.107.243.93	192.168.2.5
Nov 24, 2024 14:57:07.027044058 CET	49852	443	192.168.2.5	34.107.243.93
Nov 24, 2024 14:57:07.027141094 CET	443	49852	34.107.243.93	192.168.2.5
Nov 24, 2024 14:57:07.027251959 CET	49852	443	192.168.2.5	34.107.243.93
Nov 24, 2024 14:57:07.029422998 CET	49722	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:57:07.148977995 CET	80	49722	34.107.221.82	192.168.2.5
Nov 24, 2024 14:57:07.366811037 CET	80	49722	34.107.221.82	192.168.2.5
Nov 24, 2024 14:57:07.369771957 CET	49730	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:57:07.416717052 CET	49722	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:57:07.490406990 CET	80	49730	34.107.221.82	192.168.2.5
Nov 24, 2024 14:57:07.686026096 CET	80	49730	34.107.221.82	192.168.2.5
Nov 24, 2024 14:57:07.733213902 CET	49730	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:57:15.453972101 CET	49877	443	192.168.2.5	34.120.208.123
Nov 24, 2024 14:57:15.454011917 CET	443	49877	34.120.208.123	192.168.2.5
Nov 24, 2024 14:57:15.454142094 CET	49878	443	192.168.2.5	34.120.208.123
Nov 24, 2024 14:57:15.454191923 CET	443	49878	34.120.208.123	192.168.2.5
Nov 24, 2024 14:57:15.454679012 CET	49877	443	192.168.2.5	34.120.208.123
Nov 24, 2024 14:57:15.454739094 CET	49878	443	192.168.2.5	34.120.208.123
Nov 24, 2024 14:57:15.454912901 CET	49877	443	192.168.2.5	34.120.208.123
Nov 24, 2024 14:57:15.454931021 CET	443	49877	34.120.208.123	192.168.2.5
Nov 24, 2024 14:57:15.455028057 CET	49878	443	192.168.2.5	34.120.208.123
Nov 24, 2024 14:57:15.455039978 CET	443	49878	34.120.208.123	192.168.2.5
Nov 24, 2024 14:57:16.714658022 CET	443	49877	34.120.208.123	192.168.2.5
Nov 24, 2024 14:57:16.714762926 CET	49877	443	192.168.2.5	34.120.208.123
Nov 24, 2024 14:57:16.717808008 CET	49877	443	192.168.2.5	34.120.208.123
Nov 24, 2024 14:57:16.717822075 CET	443	49877	34.120.208.123	192.168.2.5
Nov 24, 2024 14:57:16.718063116 CET	443	49877	34.120.208.123	192.168.2.5
Nov 24, 2024 14:57:16.720051050 CET	49877	443	192.168.2.5	34.120.208.123
Nov 24, 2024 14:57:16.720174074 CET	49877	443	192.168.2.5	34.120.208.123
Nov 24, 2024 14:57:16.720200062 CET	443	49877	34.120.208.123	192.168.2.5
Nov 24, 2024 14:57:16.723246098 CET	49877	443	192.168.2.5	34.120.208.123
Nov 24, 2024 14:57:16.723995924 CET	49722	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:57:16.741725922 CET	443	49878	34.120.208.123	192.168.2.5
Nov 24, 2024 14:57:16.741806030 CET	49878	443	192.168.2.5	34.120.208.123
Nov 24, 2024 14:57:16.744900942 CET	49878	443	192.168.2.5	34.120.208.123
Nov 24, 2024 14:57:16.744909048 CET	443	49878	34.120.208.123	192.168.2.5
Nov 24, 2024 14:57:16.745249987 CET	443	49878	34.120.208.123	192.168.2.5
Nov 24, 2024 14:57:16.747359991 CET	49878	443	192.168.2.5	34.120.208.123
Nov 24, 2024 14:57:16.747447014 CET	49878	443	192.168.2.5	34.120.208.123
Nov 24, 2024 14:57:16.747524977 CET	443	49878	34.120.208.123	192.168.2.5
Nov 24, 2024 14:57:16.748172998 CET	49878	443	192.168.2.5	34.120.208.123
Nov 24, 2024 14:57:16.844135046 CET	80	49722	34.107.221.82	192.168.2.5
Nov 24, 2024 14:57:17.057665110 CET	80	49722	34.107.221.82	192.168.2.5
Nov 24, 2024 14:57:17.060563087 CET	49730	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:57:17.107884884 CET	49722	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:57:17.181618929 CET	80	49730	34.107.221.82	192.168.2.5
Nov 24, 2024 14:57:17.378432035 CET	80	49730	34.107.221.82	192.168.2.5
Nov 24, 2024 14:57:17.430852890 CET	49730	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:57:27.058990002 CET	49722	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:57:27.178607941 CET	80	49722	34.107.221.82	192.168.2.5
Nov 24, 2024 14:57:27.391089916 CET	49730	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:57:27.510684967 CET	80	49730	34.107.221.82	192.168.2.5
Nov 24, 2024 14:57:37.188321114 CET	49722	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:57:37.307835102 CET	80	49722	34.107.221.82	192.168.2.5
Nov 24, 2024 14:57:37.520478964 CET	49730	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:57:37.641033888 CET	80	49730	34.107.221.82	192.168.2.5
Nov 24, 2024 14:57:47.174221039 CET	49949	443	192.168.2.5	34.107.243.93
Nov 24, 2024 14:57:47.174269915 CET	443	49949	34.107.243.93	192.168.2.5
Nov 24, 2024 14:57:47.175137043 CET	49949	443	192.168.2.5	34.107.243.93
Nov 24, 2024 14:57:47.176652908 CET	49949	443	192.168.2.5	34.107.243.93
Nov 24, 2024 14:57:47.176667929 CET	443	49949	34.107.243.93	192.168.2.5
Nov 24, 2024 14:57:47.316854954 CET	49722	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:57:47.437849045 CET	80	49722	34.107.221.82	192.168.2.5
Nov 24, 2024 14:57:47.648957968 CET	49730	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:57:47.768496037 CET	80	49730	34.107.221.82	192.168.2.5
Nov 24, 2024 14:57:48.388668060 CET	443	49949	34.107.243.93	192.168.2.5
Nov 24, 2024 14:57:48.388753891 CET	49949	443	192.168.2.5	34.107.243.93
Nov 24, 2024 14:57:48.395195007 CET	49949	443	192.168.2.5	34.107.243.93
Nov 24, 2024 14:57:48.395219088 CET	443	49949	34.107.243.93	192.168.2.5
Nov 24, 2024 14:57:48.395296097 CET	49949	443	192.168.2.5	34.107.243.93
Nov 24, 2024 14:57:48.395411968 CET	443	49949	34.107.243.93	192.168.2.5
Nov 24, 2024 14:57:48.395644903 CET	49949	443	192.168.2.5	34.107.243.93
Nov 24, 2024 14:57:48.398302078 CET	49722	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:57:48.521235943 CET	80	49722	34.107.221.82	192.168.2.5
Nov 24, 2024 14:57:48.731939077 CET	80	49722	34.107.221.82	192.168.2.5
Nov 24, 2024 14:57:48.735279083 CET	49730	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:57:48.783476114 CET	49722	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:57:48.855005026 CET	80	49730	34.107.221.82	192.168.2.5
Nov 24, 2024 14:57:49.050278902 CET	80	49730	34.107.221.82	192.168.2.5
Nov 24, 2024 14:57:49.099945068 CET	49730	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:57:58.749134064 CET	49722	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:57:58.876545906 CET	80	49722	34.107.221.82	192.168.2.5
Nov 24, 2024 14:57:59.065644026 CET	49730	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:57:59.192373991 CET	80	49730	34.107.221.82	192.168.2.5
Nov 24, 2024 14:58:08.879081964 CET	49722	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:58:09.004972935 CET	80	49722	34.107.221.82	192.168.2.5
Nov 24, 2024 14:58:09.195574045 CET	49730	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:58:09.320768118 CET	80	49730	34.107.221.82	192.168.2.5
Nov 24, 2024 14:58:19.008368969 CET	49722	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:58:19.135864019 CET	80	49722	34.107.221.82	192.168.2.5
Nov 24, 2024 14:58:19.324805021 CET	49730	80	192.168.2.5	34.107.221.82
Nov 24, 2024 14:58:19.451855898 CET	80	49730	34.107.221.82	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 24, 2024 14:56:16.357119083 CET	49331	53	192.168.2.5	1.1.1.1
Nov 24, 2024 14:56:16.495234013 CET	53	49331	1.1.1.1	192.168.2.5
Nov 24, 2024 14:56:16.507606983 CET	55751	53	192.168.2.5	1.1.1.1
Nov 24, 2024 14:56:16.605663061 CET	53754	53	192.168.2.5	1.1.1.1
Nov 24, 2024 14:56:16.651031017 CET	53	55751	1.1.1.1	192.168.2.5
Nov 24, 2024 14:56:16.652343988 CET	55143	53	192.168.2.5	1.1.1.1
Nov 24, 2024 14:56:16.745284081 CET	53	53754	1.1.1.1	192.168.2.5
Nov 24, 2024 14:56:16.750488997 CET	54855	53	192.168.2.5	1.1.1.1
Nov 24, 2024 14:56:16.792763948 CET	53177	53	192.168.2.5	1.1.1.1
Nov 24, 2024 14:56:16.889599085 CET	53	54855	1.1.1.1	192.168.2.5
Nov 24, 2024 14:56:16.893287897 CET	56258	53	192.168.2.5	1.1.1.1
Nov 24, 2024 14:56:16.930946112 CET	53	53177	1.1.1.1	192.168.2.5
Nov 24, 2024 14:56:16.936161041 CET	53961	53	192.168.2.5	1.1.1.1
Nov 24, 2024 14:56:17.033116102 CET	53	56258	1.1.1.1	192.168.2.5
Nov 24, 2024 14:56:17.075754881 CET	53	53961	1.1.1.1	192.168.2.5
Nov 24, 2024 14:56:17.298297882 CET	52527	53	192.168.2.5	1.1.1.1
Nov 24, 2024 14:56:17.389555931 CET	49961	53	192.168.2.5	1.1.1.1
Nov 24, 2024 14:56:17.436743975 CET	53	52527	1.1.1.1	192.168.2.5
Nov 24, 2024 14:56:17.528359890 CET	53	49961	1.1.1.1	192.168.2.5
Nov 24, 2024 14:56:17.588212967 CET	57588	53	192.168.2.5	1.1.1.1
Nov 24, 2024 14:56:17.589396000 CET	57777	53	192.168.2.5	1.1.1.1
Nov 24, 2024 14:56:17.717796087 CET	57853	53	192.168.2.5	1.1.1.1
Nov 24, 2024 14:56:17.725141048 CET	53	57588	1.1.1.1	192.168.2.5
Nov 24, 2024 14:56:17.725604057 CET	50569	53	192.168.2.5	1.1.1.1
Nov 24, 2024 14:56:17.727263927 CET	53	57777	1.1.1.1	192.168.2.5
Nov 24, 2024 14:56:17.727682114 CET	54544	53	192.168.2.5	1.1.1.1
Nov 24, 2024 14:56:17.865756035 CET	53	50569	1.1.1.1	192.168.2.5
Nov 24, 2024 14:56:17.867923975 CET	53	54544	1.1.1.1	192.168.2.5
Nov 24, 2024 14:56:18.050173044 CET	53	57853	1.1.1.1	192.168.2.5
Nov 24, 2024 14:56:18.060024977 CET	60542	53	192.168.2.5	1.1.1.1
Nov 24, 2024 14:56:18.160083055 CET	59718	53	192.168.2.5	1.1.1.1
Nov 24, 2024 14:56:18.199330091 CET	53	60542	1.1.1.1	192.168.2.5
Nov 24, 2024 14:56:18.299911022 CET	53	59718	1.1.1.1	192.168.2.5
Nov 24, 2024 14:56:18.326689005 CET	58416	53	192.168.2.5	1.1.1.1
Nov 24, 2024 14:56:18.338351965 CET	56512	53	192.168.2.5	1.1.1.1
Nov 24, 2024 14:56:18.340321064 CET	63179	53	192.168.2.5	1.1.1.1
Nov 24, 2024 14:56:18.345052958 CET	55450	53	192.168.2.5	1.1.1.1
Nov 24, 2024 14:56:18.464802980 CET	53	58416	1.1.1.1	192.168.2.5
Nov 24, 2024 14:56:18.465562105 CET	50885	53	192.168.2.5	1.1.1.1
Nov 24, 2024 14:56:18.476934910 CET	53	56512	1.1.1.1	192.168.2.5
Nov 24, 2024 14:56:18.480063915 CET	53	63179	1.1.1.1	192.168.2.5
Nov 24, 2024 14:56:18.602535009 CET	53	50885	1.1.1.1	192.168.2.5
Nov 24, 2024 14:56:19.441497087 CET	52109	53	192.168.2.5	1.1.1.1
Nov 24, 2024 14:56:19.538490057 CET	59210	53	192.168.2.5	1.1.1.1
Nov 24, 2024 14:56:19.681323051 CET	53	59210	1.1.1.1	192.168.2.5
Nov 24, 2024 14:56:19.682761908 CET	60114	53	192.168.2.5	1.1.1.1
Nov 24, 2024 14:56:19.819768906 CET	53	60114	1.1.1.1	192.168.2.5
Nov 24, 2024 14:56:19.822377920 CET	61352	53	192.168.2.5	1.1.1.1
Nov 24, 2024 14:56:19.960832119 CET	53	61352	1.1.1.1	192.168.2.5
Nov 24, 2024 14:56:19.999006033 CET	51773	53	192.168.2.5	1.1.1.1
Nov 24, 2024 14:56:20.052604914 CET	62099	53	192.168.2.5	1.1.1.1
Nov 24, 2024 14:56:20.136984110 CET	53	51773	1.1.1.1	192.168.2.5
Nov 24, 2024 14:56:20.155766010 CET	61798	53	192.168.2.5	1.1.1.1
Nov 24, 2024 14:56:20.200968027 CET	53	62099	1.1.1.1	192.168.2.5
Nov 24, 2024 14:56:20.211395025 CET	53	63877	1.1.1.1	192.168.2.5
Nov 24, 2024 14:56:20.220882893 CET	53693	53	192.168.2.5	1.1.1.1
Nov 24, 2024 14:56:20.293756008 CET	53	61798	1.1.1.1	192.168.2.5
Nov 24, 2024 14:56:20.301414967 CET	55965	53	192.168.2.5	1.1.1.1
Nov 24, 2024 14:56:20.367651939 CET	53	53693	1.1.1.1	192.168.2.5
Nov 24, 2024 14:56:20.439357042 CET	53	55965	1.1.1.1	192.168.2.5
Nov 24, 2024 14:56:24.154644012 CET	56907	53	192.168.2.5	1.1.1.1
Nov 24, 2024 14:56:24.166866064 CET	57852	53	192.168.2.5	1.1.1.1
Nov 24, 2024 14:56:24.167745113 CET	57147	53	192.168.2.5	1.1.1.1
Nov 24, 2024 14:56:24.291946888 CET	53	56907	1.1.1.1	192.168.2.5
Nov 24, 2024 14:56:24.292745113 CET	62689	53	192.168.2.5	1.1.1.1
Nov 24, 2024 14:56:24.303921938 CET	53	57852	1.1.1.1	192.168.2.5
Nov 24, 2024 14:56:24.304707050 CET	53	57147	1.1.1.1	192.168.2.5
Nov 24, 2024 14:56:24.304764986 CET	62164	53	192.168.2.5	1.1.1.1
Nov 24, 2024 14:56:24.305275917 CET	50604	53	192.168.2.5	1.1.1.1
Nov 24, 2024 14:56:24.431766033 CET	53	62689	1.1.1.1	192.168.2.5
Nov 24, 2024 14:56:24.443953991 CET	53	62164	1.1.1.1	192.168.2.5
Nov 24, 2024 14:56:24.444624901 CET	64739	53	192.168.2.5	1.1.1.1
Nov 24, 2024 14:56:24.445003033 CET	53	50604	1.1.1.1	192.168.2.5
Nov 24, 2024 14:56:24.445570946 CET	53003	53	192.168.2.5	1.1.1.1
Nov 24, 2024 14:56:24.449558020 CET	57403	53	192.168.2.5	1.1.1.1
Nov 24, 2024 14:56:24.582364082 CET	53	53003	1.1.1.1	192.168.2.5
Nov 24, 2024 14:56:24.582444906 CET	53	64739	1.1.1.1	192.168.2.5
Nov 24, 2024 14:56:24.583126068 CET	51429	53	192.168.2.5	1.1.1.1
Nov 24, 2024 14:56:24.583293915 CET	54552	53	192.168.2.5	1.1.1.1
Nov 24, 2024 14:56:24.587265015 CET	53	57403	1.1.1.1	192.168.2.5
Nov 24, 2024 14:56:24.587765932 CET	57898	53	192.168.2.5	1.1.1.1
Nov 24, 2024 14:56:24.724716902 CET	53	51429	1.1.1.1	192.168.2.5
Nov 24, 2024 14:56:24.725167990 CET	53	54552	1.1.1.1	192.168.2.5
Nov 24, 2024 14:56:24.726336956 CET	54224	53	192.168.2.5	1.1.1.1
Nov 24, 2024 14:56:24.728585005 CET	53	57898	1.1.1.1	192.168.2.5
Nov 24, 2024 14:56:24.731332064 CET	55775	53	192.168.2.5	1.1.1.1
Nov 24, 2024 14:56:24.737307072 CET	65346	53	192.168.2.5	1.1.1.1
Nov 24, 2024 14:56:24.863961935 CET	53	54224	1.1.1.1	192.168.2.5
Nov 24, 2024 14:56:24.869559050 CET	53	55775	1.1.1.1	192.168.2.5
Nov 24, 2024 14:56:24.874607086 CET	53	65346	1.1.1.1	192.168.2.5
Nov 24, 2024 14:56:24.907563925 CET	51781	53	192.168.2.5	1.1.1.1
Nov 24, 2024 14:56:24.907847881 CET	50525	53	192.168.2.5	1.1.1.1
Nov 24, 2024 14:56:24.908322096 CET	54771	53	192.168.2.5	1.1.1.1
Nov 24, 2024 14:56:25.046854973 CET	53	50525	1.1.1.1	192.168.2.5
Nov 24, 2024 14:56:25.047028065 CET	53	51781	1.1.1.1	192.168.2.5
Nov 24, 2024 14:56:25.048851013 CET	53	54771	1.1.1.1	192.168.2.5
Nov 24, 2024 14:56:25.268754959 CET	55167	53	192.168.2.5	1.1.1.1
Nov 24, 2024 14:56:25.412066936 CET	53	55167	1.1.1.1	192.168.2.5
Nov 24, 2024 14:56:29.952835083 CET	55967	53	192.168.2.5	1.1.1.1
Nov 24, 2024 14:56:30.095036030 CET	53	55967	1.1.1.1	192.168.2.5
Nov 24, 2024 14:56:30.097022057 CET	60575	53	192.168.2.5	1.1.1.1
Nov 24, 2024 14:56:30.236254930 CET	53	60575	1.1.1.1	192.168.2.5
Nov 24, 2024 14:56:30.236893892 CET	54860	53	192.168.2.5	1.1.1.1
Nov 24, 2024 14:56:30.374741077 CET	53	54860	1.1.1.1	192.168.2.5
Nov 24, 2024 14:56:43.489625931 CET	54916	53	192.168.2.5	1.1.1.1
Nov 24, 2024 14:56:43.630671024 CET	53	54916	1.1.1.1	192.168.2.5
Nov 24, 2024 14:56:44.627580881 CET	49469	53	192.168.2.5	1.1.1.1
Nov 24, 2024 14:56:44.652126074 CET	61190	53	192.168.2.5	1.1.1.1
Nov 24, 2024 14:56:44.751816034 CET	50691	53	192.168.2.5	1.1.1.1
Nov 24, 2024 14:56:44.765474081 CET	53	49469	1.1.1.1	192.168.2.5
Nov 24, 2024 14:56:44.880192995 CET	53	61190	1.1.1.1	192.168.2.5
Nov 24, 2024 14:56:44.881629944 CET	56656	53	192.168.2.5	1.1.1.1
Nov 24, 2024 14:56:45.020472050 CET	53	56656	1.1.1.1	192.168.2.5
Nov 24, 2024 14:56:45.021240950 CET	53885	53	192.168.2.5	1.1.1.1
Nov 24, 2024 14:56:45.066349983 CET	53	50691	1.1.1.1	192.168.2.5
Nov 24, 2024 14:56:45.067800045 CET	60259	53	192.168.2.5	1.1.1.1
Nov 24, 2024 14:56:45.164136887 CET	53	53885	1.1.1.1	192.168.2.5
Nov 24, 2024 14:56:45.211462021 CET	53	60259	1.1.1.1	192.168.2.5
Nov 24, 2024 14:56:45.212229967 CET	58558	53	192.168.2.5	1.1.1.1
Nov 24, 2024 14:56:45.350327969 CET	53	58558	1.1.1.1	192.168.2.5
Nov 24, 2024 14:56:57.466130018 CET	56713	53	192.168.2.5	1.1.1.1
Nov 24, 2024 14:57:05.763922930 CET	62399	53	192.168.2.5	1.1.1.1
Nov 24, 2024 14:57:05.908837080 CET	53	62399	1.1.1.1	192.168.2.5
Nov 24, 2024 14:57:11.629812002 CET	57031	53	192.168.2.5	1.1.1.1
Nov 24, 2024 14:57:15.455166101 CET	62906	53	192.168.2.5	1.1.1.1
Nov 24, 2024 14:57:15.593077898 CET	53	62906	1.1.1.1	192.168.2.5
Nov 24, 2024 14:57:47.034476995 CET	52109	53	192.168.2.5	1.1.1.1
Nov 24, 2024 14:57:47.172940016 CET	53	52109	1.1.1.1	192.168.2.5
Nov 24, 2024 14:57:47.175101995 CET	60529	53	192.168.2.5	1.1.1.1
Nov 24, 2024 14:57:47.314928055 CET	53	60529	1.1.1.1	192.168.2.5
Nov 24, 2024 14:57:48.398685932 CET	49924	53	192.168.2.5	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 24, 2024 14:56:16.357119083 CET	192.168.2.5	1.1.1.1	0x7878	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:16.507606983 CET	192.168.2.5	1.1.1.1	0xbad1	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 24, 2024 14:56:16.605663061 CET	192.168.2.5	1.1.1.1	0x36d2	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:16.652343988 CET	192.168.2.5	1.1.1.1	0x39fb	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:16.750488997 CET	192.168.2.5	1.1.1.1	0x59f	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:16.792763948 CET	192.168.2.5	1.1.1.1	0x73dd	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:16.893287897 CET	192.168.2.5	1.1.1.1	0xecb1	Standard query (0)	youtube.com	28	IN (0x0001)	false
Nov 24, 2024 14:56:16.936161041 CET	192.168.2.5	1.1.1.1	0x9b7d	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 24, 2024 14:56:17.298297882 CET	192.168.2.5	1.1.1.1	0x43f0	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:17.389555931 CET	192.168.2.5	1.1.1.1	0x27a6	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:17.588212967 CET	192.168.2.5	1.1.1.1	0xba88	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:17.589396000 CET	192.168.2.5	1.1.1.1	0x43bd	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:17.717796087 CET	192.168.2.5	1.1.1.1	0x42fa	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:17.725604057 CET	192.168.2.5	1.1.1.1	0x728e	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 14:56:17.727682114 CET	192.168.2.5	1.1.1.1	0xce49	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 24, 2024 14:56:18.060024977 CET	192.168.2.5	1.1.1.1	0xb518	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 24, 2024 14:56:18.160083055 CET	192.168.2.5	1.1.1.1	0xb106	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:18.326689005 CET	192.168.2.5	1.1.1.1	0xe42c	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:18.338351965 CET	192.168.2.5	1.1.1.1	0xf181	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:18.340321064 CET	192.168.2.5	1.1.1.1	0x8a5d	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:18.345052958 CET	192.168.2.5	1.1.1.1	0x64d0	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:18.465562105 CET	192.168.2.5	1.1.1.1	0x5762	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 24, 2024 14:56:19.441497087 CET	192.168.2.5	1.1.1.1	0x9921	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:19.538490057 CET	192.168.2.5	1.1.1.1	0x1057	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:19.682761908 CET	192.168.2.5	1.1.1.1	0x3601	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:19.822377920 CET	192.168.2.5	1.1.1.1	0xfb07	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 14:56:19.999006033 CET	192.168.2.5	1.1.1.1	0xb58d	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:20.052604914 CET	192.168.2.5	1.1.1.1	0x8ff9	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:20.155766010 CET	192.168.2.5	1.1.1.1	0x5a4b	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:20.220882893 CET	192.168.2.5	1.1.1.1	0xfeaf	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 14:56:20.301414967 CET	192.168.2.5	1.1.1.1	0x835a	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 24, 2024 14:56:24.154644012 CET	192.168.2.5	1.1.1.1	0xd1d7	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:24.166866064 CET	192.168.2.5	1.1.1.1	0x662c	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:24.167745113 CET	192.168.2.5	1.1.1.1	0x3ef6	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:24.292745113 CET	192.168.2.5	1.1.1.1	0x2a65	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:24.304764986 CET	192.168.2.5	1.1.1.1	0x4340	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:24.305275917 CET	192.168.2.5	1.1.1.1	0xbcb8	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:24.444624901 CET	192.168.2.5	1.1.1.1	0xa170	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Nov 24, 2024 14:56:24.445570946 CET	192.168.2.5	1.1.1.1	0xa899	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Nov 24, 2024 14:56:24.449558020 CET	192.168.2.5	1.1.1.1	0xb0f8	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 24, 2024 14:56:24.583126068 CET	192.168.2.5	1.1.1.1	0xa004	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:24.583293915 CET	192.168.2.5	1.1.1.1	0x28c0	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:24.587765932 CET	192.168.2.5	1.1.1.1	0xe476	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:24.726336956 CET	192.168.2.5	1.1.1.1	0xf390	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:24.731332064 CET	192.168.2.5	1.1.1.1	0x22b4	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:24.737307072 CET	192.168.2.5	1.1.1.1	0xa418	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:24.907563925 CET	192.168.2.5	1.1.1.1	0x18f4	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Nov 24, 2024 14:56:24.907847881 CET	192.168.2.5	1.1.1.1	0xc0b2	Standard query (0)	twitter.com	28	IN (0x0001)	false
Nov 24, 2024 14:56:24.908322096 CET	192.168.2.5	1.1.1.1	0xac7e	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Nov 24, 2024 14:56:25.268754959 CET	192.168.2.5	1.1.1.1	0x7b18	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 14:56:29.952835083 CET	192.168.2.5	1.1.1.1	0x3529	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:30.097022057 CET	192.168.2.5	1.1.1.1	0x9577	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:30.236893892 CET	192.168.2.5	1.1.1.1	0x8d72	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 14:56:43.489625931 CET	192.168.2.5	1.1.1.1	0x3e42	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 14:56:44.627580881 CET	192.168.2.5	1.1.1.1	0xf4d3	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 24, 2024 14:56:44.652126074 CET	192.168.2.5	1.1.1.1	0xa0c5	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:44.751816034 CET	192.168.2.5	1.1.1.1	0x3f98	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:44.881629944 CET	192.168.2.5	1.1.1.1	0xe429	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:45.021240950 CET	192.168.2.5	1.1.1.1	0xc077	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Nov 24, 2024 14:56:45.067800045 CET	192.168.2.5	1.1.1.1	0xeb64	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:45.212229967 CET	192.168.2.5	1.1.1.1	0x16ab	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 14:56:57.466130018 CET	192.168.2.5	1.1.1.1	0x367a	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:57:05.763922930 CET	192.168.2.5	1.1.1.1	0x433e	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 14:57:11.629812002 CET	192.168.2.5	1.1.1.1	0xf872	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:57:15.455166101 CET	192.168.2.5	1.1.1.1	0x620	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 14:57:47.034476995 CET	192.168.2.5	1.1.1.1	0xb967	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:57:47.175101995 CET	192.168.2.5	1.1.1.1	0x5b5	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 14:57:48.398685932 CET	192.168.2.5	1.1.1.1	0xe687	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 24, 2024 14:56:16.353225946 CET	1.1.1.1	192.168.2.5	0xcef3	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:16.495234013 CET	1.1.1.1	192.168.2.5	0x7878	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:16.745284081 CET	1.1.1.1	192.168.2.5	0x36d2	No error (0)	youtube.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:16.791619062 CET	1.1.1.1	192.168.2.5	0x39fb	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 14:56:16.791619062 CET	1.1.1.1	192.168.2.5	0x39fb	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:16.889599085 CET	1.1.1.1	192.168.2.5	0x59f	No error (0)	youtube.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:16.930946112 CET	1.1.1.1	192.168.2.5	0x73dd	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:17.033116102 CET	1.1.1.1	192.168.2.5	0xecb1	No error (0)	youtube.com			28	IN (0x0001)	false
Nov 24, 2024 14:56:17.075754881 CET	1.1.1.1	192.168.2.5	0x9b7d	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Nov 24, 2024 14:56:17.436743975 CET	1.1.1.1	192.168.2.5	0x43f0	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:17.528359890 CET	1.1.1.1	192.168.2.5	0x27a6	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 14:56:17.528359890 CET	1.1.1.1	192.168.2.5	0x27a6	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:17.715359926 CET	1.1.1.1	192.168.2.5	0x147a	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 14:56:17.715359926 CET	1.1.1.1	192.168.2.5	0x147a	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:17.725141048 CET	1.1.1.1	192.168.2.5	0xba88	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:17.727263927 CET	1.1.1.1	192.168.2.5	0x43bd	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:18.050173044 CET	1.1.1.1	192.168.2.5	0x42fa	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:18.299911022 CET	1.1.1.1	192.168.2.5	0xb106	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 14:56:18.299911022 CET	1.1.1.1	192.168.2.5	0xb106	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 14:56:18.299911022 CET	1.1.1.1	192.168.2.5	0xb106	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:18.464802980 CET	1.1.1.1	192.168.2.5	0xe42c	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:18.476934910 CET	1.1.1.1	192.168.2.5	0xf181	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:18.480063915 CET	1.1.1.1	192.168.2.5	0x8a5d	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:18.480063915 CET	1.1.1.1	192.168.2.5	0x8a5d	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:18.488840103 CET	1.1.1.1	192.168.2.5	0x64d0	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 14:56:18.488840103 CET	1.1.1.1	192.168.2.5	0x64d0	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:18.602535009 CET	1.1.1.1	192.168.2.5	0x5762	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Nov 24, 2024 14:56:19.681323051 CET	1.1.1.1	192.168.2.5	0x1057	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:19.683912992 CET	1.1.1.1	192.168.2.5	0x9921	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 14:56:19.819768906 CET	1.1.1.1	192.168.2.5	0x3601	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:20.039459944 CET	1.1.1.1	192.168.2.5	0xea63	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:20.136984110 CET	1.1.1.1	192.168.2.5	0xb58d	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 14:56:20.136984110 CET	1.1.1.1	192.168.2.5	0xb58d	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:20.141976118 CET	1.1.1.1	192.168.2.5	0x4681	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 14:56:20.141976118 CET	1.1.1.1	192.168.2.5	0x4681	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:20.200968027 CET	1.1.1.1	192.168.2.5	0x8ff9	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:20.293756008 CET	1.1.1.1	192.168.2.5	0x5a4b	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:21.705883980 CET	1.1.1.1	192.168.2.5	0xa3d7	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:24.291946888 CET	1.1.1.1	192.168.2.5	0xd1d7	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 14:56:24.291946888 CET	1.1.1.1	192.168.2.5	0xd1d7	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 14:56:24.291946888 CET	1.1.1.1	192.168.2.5	0xd1d7	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:24.303921938 CET	1.1.1.1	192.168.2.5	0x662c	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 14:56:24.303921938 CET	1.1.1.1	192.168.2.5	0x662c	No error (0)	youtube-ui.l.google.com		172.217.21.46	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:24.303921938 CET	1.1.1.1	192.168.2.5	0x662c	No error (0)	youtube-ui.l.google.com		172.217.19.174	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:24.303921938 CET	1.1.1.1	192.168.2.5	0x662c	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:24.303921938 CET	1.1.1.1	192.168.2.5	0x662c	No error (0)	youtube-ui.l.google.com		142.250.181.14	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:24.303921938 CET	1.1.1.1	192.168.2.5	0x662c	No error (0)	youtube-ui.l.google.com		142.250.181.46	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:24.303921938 CET	1.1.1.1	192.168.2.5	0x662c	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:24.303921938 CET	1.1.1.1	192.168.2.5	0x662c	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:24.303921938 CET	1.1.1.1	192.168.2.5	0x662c	No error (0)	youtube-ui.l.google.com		216.58.208.238	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:24.303921938 CET	1.1.1.1	192.168.2.5	0x662c	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:24.303921938 CET	1.1.1.1	192.168.2.5	0x662c	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:24.303921938 CET	1.1.1.1	192.168.2.5	0x662c	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:24.304707050 CET	1.1.1.1	192.168.2.5	0x3ef6	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 14:56:24.304707050 CET	1.1.1.1	192.168.2.5	0x3ef6	No error (0)	star-mini.c10r.facebook.com		157.240.196.35	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:24.431766033 CET	1.1.1.1	192.168.2.5	0x2a65	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:24.443953991 CET	1.1.1.1	192.168.2.5	0x4340	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:24.443953991 CET	1.1.1.1	192.168.2.5	0x4340	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:24.443953991 CET	1.1.1.1	192.168.2.5	0x4340	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:24.443953991 CET	1.1.1.1	192.168.2.5	0x4340	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:24.443953991 CET	1.1.1.1	192.168.2.5	0x4340	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:24.443953991 CET	1.1.1.1	192.168.2.5	0x4340	No error (0)	youtube-ui.l.google.com		142.250.181.46	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:24.443953991 CET	1.1.1.1	192.168.2.5	0x4340	No error (0)	youtube-ui.l.google.com		172.217.21.46	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:24.443953991 CET	1.1.1.1	192.168.2.5	0x4340	No error (0)	youtube-ui.l.google.com		172.217.19.14	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:24.443953991 CET	1.1.1.1	192.168.2.5	0x4340	No error (0)	youtube-ui.l.google.com		172.217.19.174	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:24.443953991 CET	1.1.1.1	192.168.2.5	0x4340	No error (0)	youtube-ui.l.google.com		216.58.208.238	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:24.443953991 CET	1.1.1.1	192.168.2.5	0x4340	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:24.445003033 CET	1.1.1.1	192.168.2.5	0xbcb8	No error (0)	star-mini.c10r.facebook.com		157.240.196.35	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:24.582364082 CET	1.1.1.1	192.168.2.5	0xa899	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Nov 24, 2024 14:56:24.582444906 CET	1.1.1.1	192.168.2.5	0xa170	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 24, 2024 14:56:24.582444906 CET	1.1.1.1	192.168.2.5	0xa170	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 24, 2024 14:56:24.582444906 CET	1.1.1.1	192.168.2.5	0xa170	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 24, 2024 14:56:24.582444906 CET	1.1.1.1	192.168.2.5	0xa170	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 24, 2024 14:56:24.724716902 CET	1.1.1.1	192.168.2.5	0xa004	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 14:56:24.724716902 CET	1.1.1.1	192.168.2.5	0xa004	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:24.725167990 CET	1.1.1.1	192.168.2.5	0x28c0	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 14:56:24.725167990 CET	1.1.1.1	192.168.2.5	0x28c0	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:24.725167990 CET	1.1.1.1	192.168.2.5	0x28c0	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:24.725167990 CET	1.1.1.1	192.168.2.5	0x28c0	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:24.725167990 CET	1.1.1.1	192.168.2.5	0x28c0	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:24.728585005 CET	1.1.1.1	192.168.2.5	0xe476	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:24.863961935 CET	1.1.1.1	192.168.2.5	0xf390	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:24.869559050 CET	1.1.1.1	192.168.2.5	0x22b4	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:24.869559050 CET	1.1.1.1	192.168.2.5	0x22b4	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:24.869559050 CET	1.1.1.1	192.168.2.5	0x22b4	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:24.869559050 CET	1.1.1.1	192.168.2.5	0x22b4	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:24.874607086 CET	1.1.1.1	192.168.2.5	0xa418	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:25.048851013 CET	1.1.1.1	192.168.2.5	0xac7e	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Nov 24, 2024 14:56:30.095036030 CET	1.1.1.1	192.168.2.5	0x3529	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:30.236254930 CET	1.1.1.1	192.168.2.5	0x9577	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:44.880192995 CET	1.1.1.1	192.168.2.5	0xa0c5	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:44.880192995 CET	1.1.1.1	192.168.2.5	0xa0c5	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:44.880192995 CET	1.1.1.1	192.168.2.5	0xa0c5	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:44.880192995 CET	1.1.1.1	192.168.2.5	0xa0c5	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:45.020472050 CET	1.1.1.1	192.168.2.5	0xe429	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:45.020472050 CET	1.1.1.1	192.168.2.5	0xe429	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:45.020472050 CET	1.1.1.1	192.168.2.5	0xe429	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:45.020472050 CET	1.1.1.1	192.168.2.5	0xe429	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:45.066349983 CET	1.1.1.1	192.168.2.5	0x3f98	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 14:56:45.066349983 CET	1.1.1.1	192.168.2.5	0x3f98	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:45.164136887 CET	1.1.1.1	192.168.2.5	0xc077	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 24, 2024 14:56:45.164136887 CET	1.1.1.1	192.168.2.5	0xc077	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 24, 2024 14:56:45.164136887 CET	1.1.1.1	192.168.2.5	0xc077	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 24, 2024 14:56:45.164136887 CET	1.1.1.1	192.168.2.5	0xc077	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 24, 2024 14:56:45.211462021 CET	1.1.1.1	192.168.2.5	0xeb64	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:56:48.107409954 CET	1.1.1.1	192.168.2.5	0xa2a5	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 14:56:48.107409954 CET	1.1.1.1	192.168.2.5	0xa2a5	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 14:56:57.603357077 CET	1.1.1.1	192.168.2.5	0x367a	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 14:56:57.603357077 CET	1.1.1.1	192.168.2.5	0x367a	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:57:11.769124031 CET	1.1.1.1	192.168.2.5	0xf872	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 14:57:11.769124031 CET	1.1.1.1	192.168.2.5	0xf872	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:57:15.452613115 CET	1.1.1.1	192.168.2.5	0x2db5	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:57:47.172940016 CET	1.1.1.1	192.168.2.5	0xb967	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 24, 2024 14:57:48.537471056 CET	1.1.1.1	192.168.2.5	0xe687	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 14:57:48.537471056 CET	1.1.1.1	192.168.2.5	0xe687	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49713	34.107.221.82	80	3920	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 14:56:17.198241949 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 14:56:18.286773920 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 73086 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49719	34.107.221.82	80	3920	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 14:56:18.609517097 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 14:56:19.798361063 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 19:39:57 GMT Age: 65782 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49722	34.107.221.82	80	3920	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 14:56:19.507388115 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 14:56:20.685794115 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 73088 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 14:56:21.563839912 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 14:56:21.896699905 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 73089 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 14:56:24.322416067 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 14:56:24.699004889 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 73092 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 14:56:29.953366041 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 14:56:30.287827969 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 73098 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 14:56:33.753827095 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 14:56:34.086703062 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 73101 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 14:56:44.101352930 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 14:56:44.768686056 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 14:56:45.104084969 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 73112 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 14:56:45.881596088 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 14:56:46.214730024 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 73114 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 14:56:46.343754053 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 14:56:46.677378893 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 73114 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 14:56:47.468956947 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 14:56:47.803533077 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 73115 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 14:56:57.465820074 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 14:56:57.798815966 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 73125 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 14:57:07.029422998 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 14:57:07.366811037 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 73135 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 14:57:16.723995924 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 14:57:17.057665110 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 73144 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 14:57:27.058990002 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 14:57:37.188321114 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 14:57:47.316854954 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 14:57:48.398302078 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 14:57:48.731939077 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 73176 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 14:57:58.749134064 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 14:58:08.879081964 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 14:58:19.008368969 CET	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49730	34.107.221.82	80	3920	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 14:56:20.999814987 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 14:56:22.125194073 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 23:39:07 GMT Age: 51434 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 14:56:24.321650028 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 14:56:24.687566042 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 23:39:07 GMT Age: 51437 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 14:56:29.951852083 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 14:56:30.267282009 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 23:39:07 GMT Age: 51443 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 14:56:31.182020903 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 14:56:31.496902943 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 23:39:07 GMT Age: 51444 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 14:56:34.515882015 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 14:56:34.830687046 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 23:39:07 GMT Age: 51447 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 14:56:44.834681034 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 14:56:45.107161045 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 14:56:45.428308010 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 23:39:07 GMT Age: 51458 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 14:56:46.217031002 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 14:56:46.532974958 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 23:39:07 GMT Age: 51459 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 14:56:46.680624008 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 14:56:46.995903969 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 23:39:07 GMT Age: 51459 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 14:56:47.806408882 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 14:56:48.123768091 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 23:39:07 GMT Age: 51460 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 14:56:57.801728010 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 14:56:58.118071079 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 23:39:07 GMT Age: 51470 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 14:57:07.369771957 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 14:57:07.686026096 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 23:39:07 GMT Age: 51480 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 14:57:17.060563087 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 14:57:17.378432035 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 23:39:07 GMT Age: 51490 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 14:57:27.391089916 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 14:57:37.520478964 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 14:57:47.648957968 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 14:57:48.735279083 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 14:57:49.050278902 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 23:39:07 GMT Age: 51521 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 14:57:59.065644026 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 14:58:09.195574045 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 14:58:19.324805021 CET	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	0
Start time:	08:56:09
Start date:	24/11/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x390000
File size:	923'136 bytes
MD5 hash:	89DD8A448515DCC941C852EA2F54D652
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	08:56:09
Start date:	24/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0x4a0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	08:56:09
Start date:	24/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	08:56:11
Start date:	24/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0x4a0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	08:56:11
Start date:	24/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	08:56:11
Start date:	24/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0x4a0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	08:56:11
Start date:	24/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	08:56:11
Start date:	24/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0x4a0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	08:56:11
Start date:	24/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	08:56:12
Start date:	24/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0x4a0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	08:56:12
Start date:	24/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	08:56:12
Start date:	24/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	08:56:12
Start date:	24/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff6d64d0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	08:56:12
Start date:	24/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	08:56:13
Start date:	24/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2184 -parentBuildID 20230927232528 -prefsHandle 2128 -prefMapHandle 2120 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed1a580a-f66e-4919-9609-aeed2be66e0b} 3920 "\\.\pipe\gecko-crash-server-pipe.3920" 20c58b6f710 socket
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	08:56:15
Start date:	24/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3728 -parentBuildID 20230927232528 -prefsHandle 4012 -prefMapHandle 3700 -prefsLen 26395 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dd08fa81-ebde-40ab-88fb-74e4bf2085ce} 3920 "\\.\pipe\gecko-crash-server-pipe.3920" 20c704da910 rdd
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	08:56:18
Start date:	24/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4948 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5032 -prefMapHandle 5028 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {559a0b05-97a8-4031-b5ef-464ac3f9e4d4} 3920 "\\.\pipe\gecko-crash-server-pipe.3920" 20c69f72f10 utility
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	7.1%
Total number of Nodes:	1492
Total number of Limit Nodes:	58

Executed Functions

Function 003942DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0039430D

Part of subcall function 00396B57: _wcslen.LIBCMT ref: 00396B6A

GetCurrentProcess.KERNEL32(?,0042CB64,00000000,?,?), ref: 00394422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00394429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00394454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00394466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00394474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0039447B
GetSystemInfo.KERNEL32(?,?,?), ref: 003944A0

Strings

|O, xrefs: 003D36F8
kernel32.dll, xrefs: 0039444F
GetNativeSystemInfo, xrefs: 00394460

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 010a5a0f1f0f0b4130a0ce1a590b8524cda8b172789e9e0729466691d9b60b25
Instruction ID: 0db7c61ee1c475ca0a9791d2ef0eb5615417b5a38558355d15dbe23ae468c235
Opcode Fuzzy Hash: 010a5a0f1f0f0b4130a0ce1a590b8524cda8b172789e9e0729466691d9b60b25
Instruction Fuzzy Hash: 90A198A691A2C0DFEB13C77A7C815957FA46B36300B1C44BAD84397B31F2A04995CB6F

Function 003942A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,003950AA,?,?,00000000,00000000), ref: 003942B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,003950AA,?,?,00000000,00000000), ref: 003942C9
LoadResource.KERNEL32(?,00000000,?,?,003950AA,?,?,00000000,00000000,?,?,?,?,?,?,00394F20), ref: 003D35BE
SizeofResource.KERNEL32(?,00000000,?,?,003950AA,?,?,00000000,00000000,?,?,?,?,?,?,00394F20), ref: 003D35D3
LockResource.KERNEL32(003950AA,?,?,003950AA,?,?,00000000,00000000,?,?,?,?,?,?,00394F20,?), ref: 003D35E6

Strings

SCRIPT, xrefs: 003942BF

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: cfc5709e2ab24830d536a39d38ef4cb43164b0c9398bbe95486113a84a888c6a
Instruction ID: 90d5886303eb7ea29188b81999572989a2f766de518e175401f9a43d54da1f2c
Opcode Fuzzy Hash: cfc5709e2ab24830d536a39d38ef4cb43164b0c9398bbe95486113a84a888c6a
Instruction Fuzzy Hash: 74117C71700700BFEB228B65EC88F2B7BBDEFC5B51F2085A9B44296250DB71DC018671

Function 003D2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00392B6B

Part of subcall function 00393A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00461418,?,00392E7F,?,?,?,00000000), ref: 00393A78

Part of subcall function 00399CB3: _wcslen.LIBCMT ref: 00399CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00452224), ref: 003D2C10
ShellExecuteW.SHELL32(00000000,?,?,00452224), ref: 003D2C17

Strings

runas, xrefs: 003D2C0B

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: fd8453ced0a318c8e5fa028b138b59d2b2f0fefcbfb806aa95c9ced1693a49c4
Instruction ID: 773fd5269eb0f9849db69b7f0e410af0819de36d515ada0464b199e02c3e8fde
Opcode Fuzzy Hash: fd8453ced0a318c8e5fa028b138b59d2b2f0fefcbfb806aa95c9ced1693a49c4
Instruction Fuzzy Hash: 9411D3712083016ACF17FF64D892ABF77A49FA1341F48442EF5865B0A3DF658A0AC757

Function 003FD4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 003FD501
Process32FirstW.KERNEL32(00000000,?), ref: 003FD50F
Process32NextW.KERNEL32(00000000,?), ref: 003FD52F
CloseHandle.KERNELBASE(00000000), ref: 003FD5DC

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 2d5d4c0adc177b0c8907b666b61c02ce30c010138d6b40dcb933a9e767a10a4a
Instruction ID: 1455f28901b453511146cb74d4f2e9b9b589193f522129d565745ae155b6c954
Opcode Fuzzy Hash: 2d5d4c0adc177b0c8907b666b61c02ce30c010138d6b40dcb933a9e767a10a4a
Instruction Fuzzy Hash: 8D31D4311083049FD702EF64C885ABFBBF8EF9A354F50092DF5858B1A1EB719949CB92

Function 003FDBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,003D5222), ref: 003FDBCE
GetFileAttributesW.KERNELBASE(?), ref: 003FDBDD
FindFirstFileW.KERNEL32(?,?), ref: 003FDBEE
FindClose.KERNEL32(00000000), ref: 003FDBFA

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: d647a5e7d117afd530cb63ab40a18f028a40f50a684b0e8dd5a84995c70a6ff1
Instruction ID: 8c160922ef8da993a8452f5d997c7a793099cd3b452a3f5f0409c77c6f160166
Opcode Fuzzy Hash: d647a5e7d117afd530cb63ab40a18f028a40f50a684b0e8dd5a84995c70a6ff1
Instruction Fuzzy Hash: B5F0E5308109189782316B7CBC4E8BE376D9E01334B944752F976C20F0EFB05D56C6E9

Function 003B4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(003C28E9,?,003B4CBE,003C28E9,004588B8,0000000C,003B4E15,003C28E9,00000002,00000000,?,003C28E9), ref: 003B4D09
TerminateProcess.KERNEL32(00000000,?,003B4CBE,003C28E9,004588B8,0000000C,003B4E15,003C28E9,00000002,00000000,?,003C28E9), ref: 003B4D10
ExitProcess.KERNEL32 ref: 003B4D22

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 6b1a9e103d84082d602c0436f0faf7f88b688256fd816c36a8562632d7f480e0
Instruction ID: ab77eae8d46eeb59e861b6d78b08800372a17aa0901ae01b6c312a7d275f238b
Opcode Fuzzy Hash: 6b1a9e103d84082d602c0436f0faf7f88b688256fd816c36a8562632d7f480e0
Instruction Fuzzy Hash: F1E0B631200548ABCF22AF54DD4AA983B69EB41799B518428FD058A523CB35DD52DB88

Function 0039BF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

p#F, xrefs: 003E07CE

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: BuffCharUpper
String ID: p#F
API String ID: 3964851224-2326143622
Opcode ID: 33d4be0b3a970da2c18170d39e1f84230b07389f78d4ba906b3aeb25d59f4b12
Instruction ID: c4c8abcf07d2a2a4fc0a39af66a6a2354b79fe4aaa07d36613c2b79abd554ef1
Opcode Fuzzy Hash: 33d4be0b3a970da2c18170d39e1f84230b07389f78d4ba906b3aeb25d59f4b12
Instruction Fuzzy Hash: 88A28C706083419FDB16CF19C480B2AB7E5FF89304F15996DE88A9B392D771EC85CB92

Function 0041AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0041B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0041B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0041B1D4
_wcslen.LIBCMT ref: 0041B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0041B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0041B236
_wcslen.LIBCMT ref: 0041B332

Part of subcall function 004005A7: GetStdHandle.KERNEL32(000000F6), ref: 004005C6

_wcslen.LIBCMT ref: 0041B34B
_wcslen.LIBCMT ref: 0041B366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0041B3B6
GetLastError.KERNEL32(00000000), ref: 0041B407
CloseHandle.KERNEL32(?), ref: 0041B439
CloseHandle.KERNEL32(00000000), ref: 0041B44A
CloseHandle.KERNEL32(00000000), ref: 0041B45C
CloseHandle.KERNEL32(00000000), ref: 0041B46E
CloseHandle.KERNEL32(?), ref: 0041B4E3

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 292e92e988d47fea3bf5e9dd1b1b7e85f3d36d2dbfcca0496bf608f4cdb3dd95
Instruction ID: 7c33b9de72d74e4f314b5ca21f77eaf6fe179efaf5fd3870479b9267ed436d87
Opcode Fuzzy Hash: 292e92e988d47fea3bf5e9dd1b1b7e85f3d36d2dbfcca0496bf608f4cdb3dd95
Instruction Fuzzy Hash: AEF17B316082409FCB15EF24C881B6BBBE1EF85314F14855EF8999F2A2DB35EC45CB96

Function 0039D730 Relevance: 21.6, APIs: 14, Instructions: 624windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0039D807
timeGetTime.WINMM ref: 0039DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0039DB28
TranslateMessage.USER32(?), ref: 0039DB7B
DispatchMessageW.USER32(?), ref: 0039DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0039DB9F
Sleep.KERNELBASE(0000000A), ref: 0039DBB1

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: f15856137c81a0b503fd5bb5cc6585e743b7bf892aa9a0d2a79a5ff36cb1db7c
Instruction ID: d5fba09e00f9eaef9a7071a5cce9eb3fb07e096a63f5d9fe8d26cfb9f310543a
Opcode Fuzzy Hash: f15856137c81a0b503fd5bb5cc6585e743b7bf892aa9a0d2a79a5ff36cb1db7c
Instruction Fuzzy Hash: 9742F370608392EFDB26DF25C886B6AB7E4FF46304F15466DE4968B291D770E844CB82

Function 00392CD4 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00392D07
RegisterClassExW.USER32(00000030), ref: 00392D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00392D42
InitCommonControlsEx.COMCTL32(?), ref: 00392D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00392D6F
LoadIconW.USER32(000000A9), ref: 00392D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00392D94

Strings

8H, xrefs: 00392D80, 00392D8E
TaskbarCreated, xrefs: 00392D37
AutoIt v3 GUI, xrefs: 00392D23
0, xrefs: 00392CE9
+, xrefs: 00392CF0

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$8H$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-663311790
Opcode ID: 9ba804ea0b821e3e82312f7e710d7d3ed556001d067ea054032a3a3511784568
Instruction ID: 29ae5fd7cb786351879ada6dc692de4ae09252178260f2ffdaac93906a4e6fe7
Opcode Fuzzy Hash: 9ba804ea0b821e3e82312f7e710d7d3ed556001d067ea054032a3a3511784568
Instruction Fuzzy Hash: 7221F7B5E01319AFDB10DFA4EC89BDDBBB4FB08701F04412AF511A62A0E7B50544CF99

Function 003D065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 003D039A: CreateFileW.KERNELBASE(00000000,00000000,?,003D0704,?,?,00000000,?,003D0704,00000000,0000000C), ref: 003D03B7

GetLastError.KERNEL32 ref: 003D076F
__dosmaperr.LIBCMT ref: 003D0776
GetFileType.KERNELBASE(00000000), ref: 003D0782
GetLastError.KERNEL32 ref: 003D078C
__dosmaperr.LIBCMT ref: 003D0795
CloseHandle.KERNEL32(00000000), ref: 003D07B5
CloseHandle.KERNEL32(?), ref: 003D08FF
GetLastError.KERNEL32 ref: 003D0931
__dosmaperr.LIBCMT ref: 003D0938

Strings

H, xrefs: 003D08BD

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 8b25423ab365ddd6e21f856010625345fa9d1f5786da57f6cb9fa14201c81b4e
Instruction ID: a94ba7f013081e44c0adbbbdb9b051b59e221588faf64bdf7f6ea7f461c2bcaa
Opcode Fuzzy Hash: 8b25423ab365ddd6e21f856010625345fa9d1f5786da57f6cb9fa14201c81b4e
Instruction Fuzzy Hash: 45A10236A001089FDF1EEF68EC91BAE7BA0AB46324F14015EF8159F391D7719D12CB95

Function 0039344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00393A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00461418,?,00392E7F,?,?,?,00000000), ref: 00393A78

Part of subcall function 00393357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00393379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0039356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 003D318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 003D31CE
RegCloseKey.ADVAPI32(?), ref: 003D3210
_wcslen.LIBCMT ref: 003D3277
_wcslen.LIBCMT ref: 003D3286

Strings

\, xrefs: 003D328C
\Include\, xrefs: 00393527
Include, xrefs: 003D3184, 003D31C5
Software\AutoIt v3\AutoIt, xrefs: 00393560

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: e6ff1a376c8d6ef590abd5907e0663e53fc69647571ea5c84048d1396ae9ced6
Instruction ID: 32641b1065b2585bef0bdd504e2788daad5195fe4e47d94fad48b68fbd7730f5
Opcode Fuzzy Hash: e6ff1a376c8d6ef590abd5907e0663e53fc69647571ea5c84048d1396ae9ced6
Instruction Fuzzy Hash: 1D71A171504701AEC715EF65ED8195BBBE8FF99340F40083EF945872A0EBB49A88CB56

Function 00392B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00392B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00392B9D
LoadIconW.USER32(00000063), ref: 00392BB3
LoadIconW.USER32(000000A4), ref: 00392BC5
LoadIconW.USER32(000000A2), ref: 00392BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00392BEF
RegisterClassExW.USER32(?), ref: 00392C40

Part of subcall function 00392CD4: GetSysColorBrush.USER32(0000000F), ref: 00392D07
Part of subcall function 00392CD4: RegisterClassExW.USER32(00000030), ref: 00392D31
Part of subcall function 00392CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00392D42
Part of subcall function 00392CD4: InitCommonControlsEx.COMCTL32(?), ref: 00392D5F
Part of subcall function 00392CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00392D6F
Part of subcall function 00392CD4: LoadIconW.USER32(000000A9), ref: 00392D85
Part of subcall function 00392CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00392D94

Strings

AutoIt v3, xrefs: 00392C2F
0, xrefs: 00392C0F
#, xrefs: 00392C16

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 77cea0594116b3b0b780955546f2f50ddabda5397af4f5033953631b02ee21c4
Instruction ID: 93ee21a353f7eb5f74a00a1ae77fb8a2c1ddb0e11c377d5f5c31165f996052e6
Opcode Fuzzy Hash: 77cea0594116b3b0b780955546f2f50ddabda5397af4f5033953631b02ee21c4
Instruction Fuzzy Hash: 82210E75E10314ABEB109F95EC95A9D7FB4FB48B50F08403AE902A6770E7F14980DF99

Function 00393170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0039316A,?,?), ref: 003931D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0039316A,?,?), ref: 00393204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00393227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0039316A,?,?), ref: 00393232
CreatePopupMenu.USER32 ref: 00393246
PostQuitMessage.USER32(00000000), ref: 00393267

Strings

TaskbarCreated, xrefs: 0039322D

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 0ce0fe12d28820a39665efc06d919852ee07eee08211c699e11050dda368712b
Instruction ID: 00644151ba82042fdc71567625cdd1e6e96ba535189636f5cb02659ba0986450
Opcode Fuzzy Hash: 0ce0fe12d28820a39665efc06d919852ee07eee08211c699e11050dda368712b
Instruction Fuzzy Hash: 41413AB2344204A7DF272B78DD49B7E361AEB45340F080536F952C66B1EBA1CA41D7AA

Function 00391410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00391459
CoUninitialize.COMBASE ref: 003914F8
UnregisterHotKey.USER32(?), ref: 003916DD
DestroyWindow.USER32(?), ref: 003D24B9
FreeLibrary.KERNEL32(?), ref: 003D251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 003D254B

Strings

close all, xrefs: 00391454

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 849daa87b34f4bd75cbd999c05e359a0df63a2abae4d095db9d5ac372d4ee136
Instruction ID: d76ac6355d0b5e9339635b3b4545e6c59d91dbcc9e595a27b158bdd0741e8ebb
Opcode Fuzzy Hash: 849daa87b34f4bd75cbd999c05e359a0df63a2abae4d095db9d5ac372d4ee136
Instruction Fuzzy Hash: 61D17B327012128FDB2AEF55E495A29F7A5BF16700F1541AEE84A6B351CB30ED12CF54

Function 00392C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00392C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00392CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00391CAD,?), ref: 00392CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00391CAD,?), ref: 00392CCF

Strings

AutoIt v3, xrefs: 00392C89, 00392C8E, 00392C8F
edit, xrefs: 00392CAC

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: a09e1957ef3080078de6242aac5d47d37ec4e8b1caf41977e3ea6134effb63f7
Instruction ID: 4b78bd90211d7b6ad60f88b700664497e6544d6a3f5ab7810fb77a2c8272e546
Opcode Fuzzy Hash: a09e1957ef3080078de6242aac5d47d37ec4e8b1caf41977e3ea6134effb63f7
Instruction Fuzzy Hash: F0F030756402907AF73007136C48E7B2E7DD7CAF50B04002AFD0192270D6A50881DABA

Function 00393B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00393B0F,SwapMouseButtons,00000004,?), ref: 00393B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00393B0F,SwapMouseButtons,00000004,?), ref: 00393B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00393B0F,SwapMouseButtons,00000004,?), ref: 00393B83

Strings

Control Panel\Mouse, xrefs: 00393B3E

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: cfeffd22e6e8e7607f698f8e150ab5d836e180d33772b8ec69ba685816ae467a
Instruction ID: b73ade966555f22c921d60427a6a66b11c882d8ba1e769827beb29d462c43a05
Opcode Fuzzy Hash: cfeffd22e6e8e7607f698f8e150ab5d836e180d33772b8ec69ba685816ae467a
Instruction Fuzzy Hash: 76112AB5610208FFDF218FA5DC84EAEB7BCEF04744B114469A805D7210D6719E4197A4

Function 00393923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 003D33A2

Part of subcall function 00396B57: _wcslen.LIBCMT ref: 00396B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00393A04

Strings

Line: , xrefs: 003D33EB

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: cad9304a090c0e4b00730797d6754b05231f544132b4dbfc8745751998bdafea
Instruction ID: fd7f94fe9caabba10ce6af5e69546830cd3f58957e13f51b325e356252c7ed1c
Opcode Fuzzy Hash: cad9304a090c0e4b00730797d6754b05231f544132b4dbfc8745751998bdafea
Instruction Fuzzy Hash: 7331E8B1508300AEDB22EB10DC45BEFB7E8AF40714F14452EF59A971A1EB709A48C7C7

Function 00392DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 003D2C8C

Part of subcall function 00393AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00393A97,?,?,00392E7F,?,?,?,00000000), ref: 00393AC2

Part of subcall function 00392DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00392DC4

Strings

X, xrefs: 003D2C5A
`eE, xrefs: 003D2C85

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`eE
API String ID: 779396738-3086658211
Opcode ID: b657dcd36f3b573224175eb48f77ed45d05b4008bbfe71e57418d2056ec7da7d
Instruction ID: 6f448583ef0645c69cd260e5628d2978540134ed83e18ede488132464be9fb22
Opcode Fuzzy Hash: b657dcd36f3b573224175eb48f77ed45d05b4008bbfe71e57418d2056ec7da7d
Instruction Fuzzy Hash: 6B21D871A00258AFDF02DF94D845BDE7BFC9F49305F40805AE405AB341DBB85A498F65

Function 003910F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00391BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00391BF4
Part of subcall function 00391BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00391BFC
Part of subcall function 00391BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00391C07
Part of subcall function 00391BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00391C12
Part of subcall function 00391BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00391C1A
Part of subcall function 00391BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00391C22

Part of subcall function 00391B4A: RegisterWindowMessageW.USER32(00000004,?,003912C4), ref: 00391BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0039136A
OleInitialize.OLE32 ref: 00391388
CloseHandle.KERNEL32(00000000,00000000), ref: 003D24AB

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 15b4894236b6c137aa6319dccbeab6bad7e55816027b1f41a5c769d170df3993
Instruction ID: 7ffc0e9a018bb6615afa325b50dcac2a6ba02af5c7b61be1d5bf1832f2e611e1
Opcode Fuzzy Hash: 15b4894236b6c137aa6319dccbeab6bad7e55816027b1f41a5c769d170df3993
Instruction Fuzzy Hash: BC71AFB4901241AFC785EF7AA985659BAE0BB8834475C863BD00BDB271FBB44440DF8F

Function 003FC161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00393923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00393A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 003FC259
KillTimer.USER32(?,00000001,?,?), ref: 003FC261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 003FC270

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 0f0a864421df662d2fb5a0420ad3f83f2b13164c39360758cdd8c086152125e5
Instruction ID: 32ba81bbe4607fe2f4ee0b2020ae2d5e419edd0b5b5c16589d3c978a98da2f6a
Opcode Fuzzy Hash: 0f0a864421df662d2fb5a0420ad3f83f2b13164c39360758cdd8c086152125e5
Instruction Fuzzy Hash: 7431D470944348BFEF338B648985BEBBBEC9F02304F001899D69A97242C7745A84CB51

Function 003C86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,003C85CC,?,00458CC8,0000000C), ref: 003C8704
GetLastError.KERNEL32(?,003C85CC,?,00458CC8,0000000C), ref: 003C870E
__dosmaperr.LIBCMT ref: 003C8739

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: bb320c2808747addac96fa876b3aaf02420bbe9f365dd4d78d7f275d80b327f8
Instruction ID: b8a002f62da21d7a2dc2743380663efab39a08eb17f51a32d1a1e3edda2bbf38
Opcode Fuzzy Hash: bb320c2808747addac96fa876b3aaf02420bbe9f365dd4d78d7f275d80b327f8
Instruction Fuzzy Hash: 80012B3670566026D62763346845F7F77494B81778F3A021DF914DF1D2EEE1ADC18394

Function 0039DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 0039DB7B
DispatchMessageW.USER32(?), ref: 0039DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0039DB9F
Sleep.KERNELBASE(0000000A), ref: 0039DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 003E1CC9

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 4a0cbffa5de51bcd4e009a876a32b9951c8dc7b8aa8c78d26ea1c0cb82529421
Instruction ID: fcfb3075ef53e3ae97ba2d1e8ba1baae99f712127d470df26e5078b2b803aed3
Opcode Fuzzy Hash: 4a0cbffa5de51bcd4e009a876a32b9951c8dc7b8aa8c78d26ea1c0cb82529421
Instruction Fuzzy Hash: C4F089306043419BEB31D760CC85FEA73BCEF85350F504A29E60AC30D0DB349485CB19

Function 003A1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 003A17F6

Strings

CALL, xrefs: 003A17C6

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 82af7ffc61e5190472b3e5eab0f180d016f31c5f751aa792b976d958ed3d3253
Instruction ID: 556c78c5b37d8abcca652ee1f650d89adc0386ad9dbb18341173b1042909f4b8
Opcode Fuzzy Hash: 82af7ffc61e5190472b3e5eab0f180d016f31c5f751aa792b976d958ed3d3253
Instruction Fuzzy Hash: 1E22AB706083419FC716CF25C481A2ABBF5FF9A354F248A2DF4968B3A1D771E841CB82

Function 00393837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00393908

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: d6ad3e56a4d2f4bc8f8e08dde245be3d8eee921ed7a58103c21015555db7075b
Instruction ID: 53db65f015790a4475d0e5aee248fca970ec2455daec1faf9944dc4d5a6f9945
Opcode Fuzzy Hash: d6ad3e56a4d2f4bc8f8e08dde245be3d8eee921ed7a58103c21015555db7075b
Instruction Fuzzy Hash: B13189B06047019FE721DF64D885797B7E4FB49708F04092EF99A87350E7B1AA44CB56

Function 003AF645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 003AF661

Part of subcall function 0039D730: GetInputState.USER32 ref: 0039D807

Sleep.KERNEL32(00000000), ref: 003EF2DE

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: be741a469b7eeddf682cf454f9fd191f0108078424912774a1ba83c7413f65e6
Instruction ID: 887f09615df7aa4856501d83b3d9c48f6fc51390707ee18bd7a112cd7c3b44a9
Opcode Fuzzy Hash: be741a469b7eeddf682cf454f9fd191f0108078424912774a1ba83c7413f65e6
Instruction Fuzzy Hash: 2CF08C312406059FD310FFA9E58AB6AF7E8EF46760F000029E859CB2A0DB70A800CB95

Function 00394ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00394E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00394EDD,?,00461418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00394E9C
Part of subcall function 00394E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00394EAE
Part of subcall function 00394E90: FreeLibrary.KERNEL32(00000000,?,?,00394EDD,?,00461418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00394EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00461418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00394EFD

Part of subcall function 00394E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,003D3CDE,?,00461418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00394E62
Part of subcall function 00394E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00394E74
Part of subcall function 00394E59: FreeLibrary.KERNEL32(00000000,?,?,003D3CDE,?,00461418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00394E87

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 0a3b54f95244cfd8f26a7a53be831bfa0e5d99368212d9510fffd1cadc1db103
Instruction ID: 3ec6e9cfcf8325896f587147c887d8677706bc14d0eae597ffdfaafe460600e2
Opcode Fuzzy Hash: 0a3b54f95244cfd8f26a7a53be831bfa0e5d99368212d9510fffd1cadc1db103
Instruction Fuzzy Hash: A711E732A10206AACF26BF64DC02FAD77A5AF40754F10842EF542BB1D1EE74DE469754

Function 003C8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 003C8440

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 652a2b5293c945499803c58091406670c44da002c8ff180875481d4b585c0338
Instruction ID: c69a8dfed2fbfc3fcede963dbe1165a26da00c56f2d41735b003867a2ce2bca5
Opcode Fuzzy Hash: 652a2b5293c945499803c58091406670c44da002c8ff180875481d4b585c0338
Instruction Fuzzy Hash: 2311187590410AAFCB0ADF59E941E9A7BF9EF48314F154069F808EB312DB31EE11CBA5

Function 003C5000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 003C4C7D: RtlAllocateHeap.NTDLL(00000008,00391129,00000000,?,003C2E29,00000001,00000364,?,?,?,003BF2DE,003C3863,00461444,?,003AFDF5,?), ref: 003C4CBE

_free.LIBCMT ref: 003C506C

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: d7d853ce13ecdd28e9750d38061a5e46760977880fd04247c43355e298181d89
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 8B0126722047046BE3228E659881F9AFBECFB89370F25051DE584C7280EB30BC45C7B4

Function 003BE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 33f1ba2333578b5ea94920a9163633b196fd58d9354d979808fa62dfdffcd819
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: F9F0F432510A14AAC6333A6D9C05FDB379C9F52338F110719FA21DA9D2DB74A80187A5

Function 003C4C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00391129,00000000,?,003C2E29,00000001,00000364,?,?,?,003BF2DE,003C3863,00461444,?,003AFDF5,?), ref: 003C4CBE

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: fd657fbbf39e84d56ad253c0cada2364691f7c8abd7dc4c8f17e63f291b800db
Instruction ID: ffeeff9e2f47621d300cc1784b9959f1ef9836c78cbb34cd17ee214fd30606a8
Opcode Fuzzy Hash: fd657fbbf39e84d56ad253c0cada2364691f7c8abd7dc4c8f17e63f291b800db
Instruction Fuzzy Hash: 0BF0B43164222476DB235F629C15F9A3788AF41BB1B16C129FD15EA6A1CA70DC0147E4

Function 00394F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00461418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00394F6D

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 6ea9737587cdc1d73332d7438d3b3fca009eaaf5a19f565b39bf7bd49c9f208b
Instruction ID: 9eea284efdcfe3473c33fcb52fc985e7336779d727653ab2114d0f10f176b700
Opcode Fuzzy Hash: 6ea9737587cdc1d73332d7438d3b3fca009eaaf5a19f565b39bf7bd49c9f208b
Instruction Fuzzy Hash: B7F03971109752CFDF369F64E494C66BBE4EF143293218A7EE2EB82A21C7319845DF10

Function 00422A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00422A66

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 5b942e8643e19e3e7680d6f68c24729fa362ade1855583809715f9e774cae8c1
Instruction ID: 0a008a3f8add25bc91f8d453798d4c078c01b48629a1b5905a315f80297fda07
Opcode Fuzzy Hash: 5b942e8643e19e3e7680d6f68c24729fa362ade1855583809715f9e774cae8c1
Instruction Fuzzy Hash: 33E0DF3234012ABAC710EA30EC808FF734CEB143D4710013BAC16D6520DBB8898282E8

Function 003930F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 0039314E

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: bddba40dbb5e098819cf46b7d92de24b1bc9ba3f67221b7c69c5244199003115
Instruction ID: 36c8e17061c4f80fb0404e70f479f43d8e1e2080bad8fd1d2dd66636d28aa56c
Opcode Fuzzy Hash: bddba40dbb5e098819cf46b7d92de24b1bc9ba3f67221b7c69c5244199003115
Instruction Fuzzy Hash: A5F01270A143149FEB529B24DC457DA7AACAB01708F0401E5A64996291E7B45788CB96

Function 00392DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00392DC4

Part of subcall function 00396B57: _wcslen.LIBCMT ref: 00396B6A

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: c0283cd4cdf64dc3cbb40138c3b75209dfd54ce2bacbd78a79a57965915d970d
Instruction ID: ebcae9c5cfeadd85d6c09506a2320bd370f996a6598d2d0cdf928a6dc2162bac
Opcode Fuzzy Hash: c0283cd4cdf64dc3cbb40138c3b75209dfd54ce2bacbd78a79a57965915d970d
Instruction Fuzzy Hash: 26E0CD73A001245BCB219398DC06FDA77DDDFC8790F0401B1FD09D724CD960AD848550

Function 00392B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00393837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00393908

Part of subcall function 0039D730: GetInputState.USER32 ref: 0039D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00392B6B

Part of subcall function 003930F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0039314E

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: cea611cdcffd8f58ec5c1abdc23fa42e0f66a4fcc95cc18a6423ec1342aeeeb4
Instruction ID: 60fd94ad8f21521964bde2dc96cec9ab61efc3afc5878535d41d17040b7b1506
Opcode Fuzzy Hash: cea611cdcffd8f58ec5c1abdc23fa42e0f66a4fcc95cc18a6423ec1342aeeeb4
Instruction Fuzzy Hash: DDE07D7130420407CE0ABB75985257EB3898FD1351F80043FF1478B173DF6445494313

Function 003D039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,003D0704,?,?,00000000,?,003D0704,00000000,0000000C), ref: 003D03B7

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 1f06760b0db09691c59c4e053b36e289aa944aa3c97e83ae487f7ca77f67ad82
Instruction ID: f48b597e48df1f989731576b09d0f1b62cef654c6a2c49daece51573f7487b06
Opcode Fuzzy Hash: 1f06760b0db09691c59c4e053b36e289aa944aa3c97e83ae487f7ca77f67ad82
Instruction Fuzzy Hash: FCD06C3214010DBBDF128F84DD46EDA3BAAFB48714F014010BE1896020C732E832AB94

Function 00391CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00391CBC

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: f5cfff26faf7bf210988b245e21b7d73c062534dc324e2b9f7b41a044c1686bb
Instruction ID: aaf8f2b6bbde3c5cea7125d6feed9ac6d703f7fc761dc82f213e17d562ce1a13
Opcode Fuzzy Hash: f5cfff26faf7bf210988b245e21b7d73c062534dc324e2b9f7b41a044c1686bb
Instruction Fuzzy Hash: A2C09B35380314BFF2244780BD4AF147754A758B00F444011F60B555F3D3E15850D659

Non-executed Functions

Function 00429576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 003A9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 003A9BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0042961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0042965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0042969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004296C9
SendMessageW.USER32 ref: 004296F2
GetKeyState.USER32(00000011), ref: 0042978B
GetKeyState.USER32(00000009), ref: 00429798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 004297AE
GetKeyState.USER32(00000010), ref: 004297B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004297E9
SendMessageW.USER32 ref: 00429810
SendMessageW.USER32(?,00001030,?,00427E95), ref: 00429918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0042992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00429941
SetCapture.USER32(?), ref: 0042994A
ClientToScreen.USER32(?,?), ref: 004299AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 004299BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 004299D6
ReleaseCapture.USER32 ref: 004299E1
GetCursorPos.USER32(?), ref: 00429A19
ScreenToClient.USER32(?,?), ref: 00429A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00429A80
SendMessageW.USER32 ref: 00429AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00429AEB
SendMessageW.USER32 ref: 00429B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00429B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00429B4A
GetCursorPos.USER32(?), ref: 00429B68
ScreenToClient.USER32(?,?), ref: 00429B75
GetParent.USER32(?), ref: 00429B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00429BFA
SendMessageW.USER32 ref: 00429C2B
ClientToScreen.USER32(?,?), ref: 00429C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00429CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00429CDE
SendMessageW.USER32 ref: 00429D01
ClientToScreen.USER32(?,?), ref: 00429D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00429D82

Part of subcall function 003A9944: GetWindowLongW.USER32(?,000000EB), ref: 003A9952

GetWindowLongW.USER32(?,000000F0), ref: 00429E05

Strings

@GUI_DRAGID, xrefs: 0042997D
p#F, xrefs: 00429990
F, xrefs: 00429D07

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#F
API String ID: 3429851547-1958109480
Opcode ID: 5c77acf90090948a656bb1e63c44d514a6a3acad9fe30dc97f57e53997065edc
Instruction ID: d7eaddce31d49015e397ca16f00e6b2d7184584c3356a8ed4d7a93213992bf9f
Opcode Fuzzy Hash: 5c77acf90090948a656bb1e63c44d514a6a3acad9fe30dc97f57e53997065edc
Instruction Fuzzy Hash: 52429B70304210AFDB25CF24DC84AAABBE5FF89310F54062AF699873A1D775AC51CF5A

Function 00424873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 004248F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00424908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00424927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0042494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0042495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0042497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 004249AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 004249D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00424A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00424A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00424A7E
IsMenu.USER32(?), ref: 00424A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00424AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00424B20
GetWindowLongW.USER32(?,000000F0), ref: 00424B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00424BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00424C82
wsprintfW.USER32 ref: 00424CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00424CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00424CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00424D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00424D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00424D5A

Strings

%d/%02d/%02d, xrefs: 00424CA8

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 25255c01229821ddf10be4847c1fdc1ce88ee4b8546dfa791a5fdd0f67ca28ef
Instruction ID: 6ef695529cd066768b0767c4ba12cd3349d96906e4b0aa5a0a15e7b43cf1ef4c
Opcode Fuzzy Hash: 25255c01229821ddf10be4847c1fdc1ce88ee4b8546dfa791a5fdd0f67ca28ef
Instruction Fuzzy Hash: D112E071700224ABEB258F28EC49FAF7BF8EF85310F50416AF515DA2E1DB789941CB58

Function 003AF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 003AF998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 003EF474
IsIconic.USER32(00000000), ref: 003EF47D
ShowWindow.USER32(00000000,00000009), ref: 003EF48A
SetForegroundWindow.USER32(00000000), ref: 003EF494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 003EF4AA
GetCurrentThreadId.KERNEL32 ref: 003EF4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 003EF4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 003EF4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 003EF4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 003EF4DE
SetForegroundWindow.USER32(00000000), ref: 003EF4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 003EF4F6
keybd_event.USER32(00000012,00000000), ref: 003EF501
MapVirtualKeyW.USER32(00000012,00000000), ref: 003EF50B
keybd_event.USER32(00000012,00000000), ref: 003EF510
MapVirtualKeyW.USER32(00000012,00000000), ref: 003EF519
keybd_event.USER32(00000012,00000000), ref: 003EF51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 003EF528
keybd_event.USER32(00000012,00000000), ref: 003EF52D
SetForegroundWindow.USER32(00000000), ref: 003EF530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 003EF557

Strings

Shell_TrayWnd, xrefs: 003EF46F

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: f5cdd4cf4b2554b9b1ef06e7f05172c03e7bc74cbce17b6c89b6b71890a1a756
Instruction ID: 5b3f7520fb6cb07d78ed91e2833f09860ece036b4b731798db5beacbdf9d5b90
Opcode Fuzzy Hash: f5cdd4cf4b2554b9b1ef06e7f05172c03e7bc74cbce17b6c89b6b71890a1a756
Instruction Fuzzy Hash: 6B315471B40228BEEB316BB65C89FBF7E6CEB44B50F510175F601E61D1C6B09901AAA4

Function 003F1201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 003F16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 003F170D
Part of subcall function 003F16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 003F173A
Part of subcall function 003F16C3: GetLastError.KERNEL32 ref: 003F174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 003F1286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 003F12A8
CloseHandle.KERNEL32(?), ref: 003F12B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 003F12D1
GetProcessWindowStation.USER32 ref: 003F12EA
SetProcessWindowStation.USER32(00000000), ref: 003F12F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 003F1310

Part of subcall function 003F10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,003F11FC), ref: 003F10D4
Part of subcall function 003F10BF: CloseHandle.KERNEL32(?,?,003F11FC), ref: 003F10E9

Strings

ZE, xrefs: 003F1392
default, xrefs: 003F130B
, xrefs: 003F125A
winsta0, xrefs: 003F12CC

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$ZE
API String ID: 22674027-4118585987
Opcode ID: eddcdd82a5a2a6fc5475ef0779f92b4dcd30ffc82fbecfa10c3d5aa62ca78a21
Instruction ID: 6e34678019b3aa0993faee276bbb91fdc75060dbb2ce59dd6baea25e1b47cfb8
Opcode Fuzzy Hash: eddcdd82a5a2a6fc5475ef0779f92b4dcd30ffc82fbecfa10c3d5aa62ca78a21
Instruction Fuzzy Hash: 9D819771A0020DEBDF269FA5EC89FFE7BB9EF44704F144129FA11A62A1C7708945CB64

Function 003F0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 003F10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 003F1114
Part of subcall function 003F10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,003F0B9B,?,?,?), ref: 003F1120
Part of subcall function 003F10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,003F0B9B,?,?,?), ref: 003F112F
Part of subcall function 003F10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,003F0B9B,?,?,?), ref: 003F1136
Part of subcall function 003F10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 003F114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 003F0BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 003F0C00
GetLengthSid.ADVAPI32(?), ref: 003F0C17
GetAce.ADVAPI32(?,00000000,?), ref: 003F0C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 003F0C6D
GetLengthSid.ADVAPI32(?), ref: 003F0C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 003F0C8C
HeapAlloc.KERNEL32(00000000), ref: 003F0C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 003F0CB4
CopySid.ADVAPI32(00000000), ref: 003F0CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 003F0CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 003F0D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 003F0D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 003F0D45
HeapFree.KERNEL32(00000000), ref: 003F0D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 003F0D55
HeapFree.KERNEL32(00000000), ref: 003F0D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 003F0D65
HeapFree.KERNEL32(00000000), ref: 003F0D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 003F0D78
HeapFree.KERNEL32(00000000), ref: 003F0D7F

Part of subcall function 003F1193: GetProcessHeap.KERNEL32(00000008,003F0BB1,?,00000000,?,003F0BB1,?), ref: 003F11A1
Part of subcall function 003F1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,003F0BB1,?), ref: 003F11A8
Part of subcall function 003F1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,003F0BB1,?), ref: 003F11B7

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 44908c1f533df2767e54c055ef09a4fa351f086e3868c7ea68765dc66e34a154
Instruction ID: 14f5c1b7777e4b5b91531cf5eaa22e28e10529bd3e3f8e380f641de81cdb4219
Opcode Fuzzy Hash: 44908c1f533df2767e54c055ef09a4fa351f086e3868c7ea68765dc66e34a154
Instruction Fuzzy Hash: 97716C71A0020AABDF259FE8DC85FBEBBBDBF04300F054565FA15A6192D771A905CB60

Function 0040EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0042CC08), ref: 0040EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0040EB37
GetClipboardData.USER32(0000000D), ref: 0040EB43
CloseClipboard.USER32 ref: 0040EB4F
GlobalLock.KERNEL32(00000000), ref: 0040EB87
CloseClipboard.USER32 ref: 0040EB91
GlobalUnlock.KERNEL32(00000000), ref: 0040EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0040EBC9
GetClipboardData.USER32(00000001), ref: 0040EBD1
GlobalLock.KERNEL32(00000000), ref: 0040EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0040EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0040EC38
GetClipboardData.USER32(0000000F), ref: 0040EC44
GlobalLock.KERNEL32(00000000), ref: 0040EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0040EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0040EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0040ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0040ECF3
CountClipboardFormats.USER32 ref: 0040ED14
CloseClipboard.USER32 ref: 0040ED59

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 3c651b3211ac64d744e3210720a080692a341077f885b8ca161fadc74eaa6022
Instruction ID: d0b60273f40ee815731260db850564ee8ad6c6315d44a055a6d86de6170d771e
Opcode Fuzzy Hash: 3c651b3211ac64d744e3210720a080692a341077f885b8ca161fadc74eaa6022
Instruction Fuzzy Hash: 1761E0342042029FD310EF25D894F3E77A4EF84704F44496EF856AB2E2CB35E906CBA6

Function 0040698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 004069BE
FindClose.KERNEL32(00000000), ref: 00406A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00406A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00406A75

Part of subcall function 00399CB3: _wcslen.LIBCMT ref: 00399CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00406AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00406ADF

Strings

%02d, xrefs: 00406C00, 00406C0A, 00406C5A, 00406CAA, 00406CFA, 00406D4A
%4d%02d%02d%02d%02d%02d, xrefs: 00406B6A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00406B32
%4d, xrefs: 00406BB1
%03d, xrefs: 00406DA2

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 3d765edcf11d7213290150a1d6f8f7121227f5f0a67f2e3e0fe0797ffb57859a
Instruction ID: cc517bdc74573b5611fc69f2385257e1b66bc441bd52ff6cdd49d14cd6a2f3b3
Opcode Fuzzy Hash: 3d765edcf11d7213290150a1d6f8f7121227f5f0a67f2e3e0fe0797ffb57859a
Instruction Fuzzy Hash: FDD164725083009FC715EBA4C885EAFB7ECAF89704F44491EF586DB291EB34DA44CB62

Function 00409642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00409663
GetFileAttributesW.KERNEL32(?), ref: 004096A1
SetFileAttributesW.KERNEL32(?,?), ref: 004096BB
FindNextFileW.KERNEL32(00000000,?), ref: 004096D3
FindClose.KERNEL32(00000000), ref: 004096DE
FindFirstFileW.KERNEL32(*.*,?), ref: 004096FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0040974A
SetCurrentDirectoryW.KERNEL32(00456B7C), ref: 00409768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00409772
FindClose.KERNEL32(00000000), ref: 0040977F
FindClose.KERNEL32(00000000), ref: 0040978F

Strings

*.*, xrefs: 004096F5

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 03e77d197b9fdc7eaff2d2732bc0cfdcfca1bd483519bfbf2b3a4294e098c2cd
Instruction ID: e8071af7c4d169921a14a813826581b81afa0d83e091feb964992e6cf16fbb78
Opcode Fuzzy Hash: 03e77d197b9fdc7eaff2d2732bc0cfdcfca1bd483519bfbf2b3a4294e098c2cd
Instruction Fuzzy Hash: AC31CF32641219AECB20AFB4DC49ADF77AC9F09320F5045B6F904F31E1DB38DE458A68

Function 0040979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 004097BE
FindNextFileW.KERNEL32(00000000,?), ref: 00409819
FindClose.KERNEL32(00000000), ref: 00409824
FindFirstFileW.KERNEL32(*.*,?), ref: 00409840
SetCurrentDirectoryW.KERNEL32(?), ref: 00409890
SetCurrentDirectoryW.KERNEL32(00456B7C), ref: 004098AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 004098B8
FindClose.KERNEL32(00000000), ref: 004098C5
FindClose.KERNEL32(00000000), ref: 004098D5

Part of subcall function 003FDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 003FDB00

Strings

*.*, xrefs: 0040983B

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 3533642caf7b3a5141345b8d3b34d4de61a915ed0650ca0d5578bdb5bda0ac52
Instruction ID: 4604239835f62644d9a28a5be094d654cb5604aed556f972535332f035086971
Opcode Fuzzy Hash: 3533642caf7b3a5141345b8d3b34d4de61a915ed0650ca0d5578bdb5bda0ac52
Instruction Fuzzy Hash: 2C31D5326116196EDB20EFA4DC48ADF37AC9F06320F148576E910B32D2DB38DE458A68

Function 0041BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0041C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0041B6AE,?,?), ref: 0041C9B5
Part of subcall function 0041C998: _wcslen.LIBCMT ref: 0041C9F1
Part of subcall function 0041C998: _wcslen.LIBCMT ref: 0041CA68
Part of subcall function 0041C998: _wcslen.LIBCMT ref: 0041CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0041BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0041BFA9
RegCloseKey.ADVAPI32(00000000), ref: 0041BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0041C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0041C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0041C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0041C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0041C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0041C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0041C382
RegCloseKey.ADVAPI32(00000000), ref: 0041C38F

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: c7d43098db33036247d02fe798865b17b4b83201e4f5699e7c9c0c4cefae57ef
Instruction ID: ab5735995b75c16bc1882b11045333f03b22923c41f44063d259f14c12f4144b
Opcode Fuzzy Hash: c7d43098db33036247d02fe798865b17b4b83201e4f5699e7c9c0c4cefae57ef
Instruction Fuzzy Hash: 95024C716042009FD715DF28C8D5E6ABBE5EF49308F18849DF84ACB2A2D735EC46CB96

Function 00408195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00408257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00408267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00408273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00408310
SetCurrentDirectoryW.KERNEL32(?), ref: 00408324
SetCurrentDirectoryW.KERNEL32(?), ref: 00408356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0040838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00408395

Strings

*.*, xrefs: 0040839B

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 2c2194afc611a0b54f566e814b8ca534c300845bf66bd00f8dee84154a1bd146
Instruction ID: 483e8e4569fc251515202389c1e8e8cd534dc2c417038ba785b73a42dbdfff54
Opcode Fuzzy Hash: 2c2194afc611a0b54f566e814b8ca534c300845bf66bd00f8dee84154a1bd146
Instruction Fuzzy Hash: 1D617C725083059FDB10EF60C9409AFB3E8FF89314F04496EF9899B291EB35E905CB96

Function 003FD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00393AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00393A97,?,?,00392E7F,?,?,?,00000000), ref: 00393AC2

Part of subcall function 003FE199: GetFileAttributesW.KERNEL32(?,003FCF95), ref: 003FE19A

FindFirstFileW.KERNEL32(?,?), ref: 003FD122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 003FD1DD
MoveFileW.KERNEL32(?,?), ref: 003FD1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 003FD20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 003FD237

Part of subcall function 003FD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,003FD21C,?,?), ref: 003FD2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 003FD253
FindClose.KERNEL32(00000000), ref: 003FD264

Strings

\*.*, xrefs: 003FD0CD, 003FD0D6, 003FD0EB

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 64e69a2e73ece3050d77ad67beacd14b32470519a453de5db2ff2cdb3e3f2da9
Instruction ID: bb98096b1ebc908c6e0264b032f0581ec24f176d713d47ddb9d3f6baf3dd986f
Opcode Fuzzy Hash: 64e69a2e73ece3050d77ad67beacd14b32470519a453de5db2ff2cdb3e3f2da9
Instruction Fuzzy Hash: ED616D31D0510DAACF16EBE4CA969FDB776AF15300F2045A9E5027B191EF31AF09CBA1

Function 0040ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0040ED91
EmptyClipboard.USER32 ref: 0040ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0040EDAC
CloseClipboard.USER32 ref: 0040EEA3

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 82e9cd728f241ac2afd5288fba65d8db1824dbfe2521eecd63e4d639c20efbc2
Instruction ID: 98e8b1d2ab9d9bb5f382d89c3749d7ded4a9583f2ed11e752b2ac1635c2f13aa
Opcode Fuzzy Hash: 82e9cd728f241ac2afd5288fba65d8db1824dbfe2521eecd63e4d639c20efbc2
Instruction Fuzzy Hash: 6B419F35604611DFE721DF16D888B1ABBE1EF44318F54C4AAE41A9B7A2C739EC42CBD4

Function 003FE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 003F16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 003F170D
Part of subcall function 003F16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 003F173A
Part of subcall function 003F16C3: GetLastError.KERNEL32 ref: 003F174A

ExitWindowsEx.USER32(?,00000000), ref: 003FE932

Strings

@, xrefs: 003FE925
, xrefs: 003FE95C
SeShutdownPrivilege, xrefs: 003FE902
, xrefs: 003FE920

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 314be466e1c431af779c05e03f6c1d1abbcaeacebb0064a952c7522e6f7990b3
Instruction ID: fc0c18c61941f95c2adecc4afe99e95b10b433b798c34ffc66c60660ea164b9a
Opcode Fuzzy Hash: 314be466e1c431af779c05e03f6c1d1abbcaeacebb0064a952c7522e6f7990b3
Instruction Fuzzy Hash: DB012672710219ABEB6527B4AC86FBF729C9B14741F160932FE12E21E2DBE85C4081B4

Function 00411204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00411276
WSAGetLastError.WSOCK32 ref: 00411283
bind.WSOCK32(00000000,?,00000010), ref: 004112BA
WSAGetLastError.WSOCK32 ref: 004112C5
closesocket.WSOCK32(00000000), ref: 004112F4
listen.WSOCK32(00000000,00000005), ref: 00411303
WSAGetLastError.WSOCK32 ref: 0041130D
closesocket.WSOCK32(00000000), ref: 0041133C

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: ea4e1909339f0b81f5f76be8589aea7e7cf34c10461748bcee93f34b05899083
Instruction ID: ed05836fed044d0bfb9eb746c80fd917bacd577dad003b5f9cc15cf1b0032861
Opcode Fuzzy Hash: ea4e1909339f0b81f5f76be8589aea7e7cf34c10461748bcee93f34b05899083
Instruction Fuzzy Hash: 9F41A0316001409FD720EF24C4C8B6ABBE5AF46318F588099E9569F3E6C775EC82CBE5

Function 003CB952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 003CB9D4
_free.LIBCMT ref: 003CB9F8
_free.LIBCMT ref: 003CBB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00433700), ref: 003CBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0046121C,000000FF,00000000,0000003F,00000000,?,?), ref: 003CBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00461270,000000FF,?,0000003F,00000000,?), ref: 003CBC36
_free.LIBCMT ref: 003CBD4B

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 28593775eb51256c2aa156064c8c7d57cb1e5105b90494c030c19c74bcc232df
Instruction ID: 9e2a1680f22fbb4f114c27a73de27fc992d1cd749b7316207ee60dfb775b6ee2
Opcode Fuzzy Hash: 28593775eb51256c2aa156064c8c7d57cb1e5105b90494c030c19c74bcc232df
Instruction Fuzzy Hash: FDC12675A04244AFCB229F788C53FAAFBB8EF41350F1941AEE495DB251EB319E41CB50

Function 003FD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00393AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00393A97,?,?,00392E7F,?,?,?,00000000), ref: 00393AC2

Part of subcall function 003FE199: GetFileAttributesW.KERNEL32(?,003FCF95), ref: 003FE19A

FindFirstFileW.KERNEL32(?,?), ref: 003FD420
DeleteFileW.KERNEL32(?,?,?,?), ref: 003FD470
FindNextFileW.KERNEL32(00000000,00000010), ref: 003FD481
FindClose.KERNEL32(00000000), ref: 003FD498
FindClose.KERNEL32(00000000), ref: 003FD4A1

Strings

\*.*, xrefs: 003FD3F2

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: b0fdf48dded0e824948ebc9968c23931329dec7ada13b29f229b0c606a2366a1
Instruction ID: 4cc391b8ea276e487151151dcfe0a287eb1e2d317f307a2907ab63a87187f904
Opcode Fuzzy Hash: b0fdf48dded0e824948ebc9968c23931329dec7ada13b29f229b0c606a2366a1
Instruction Fuzzy Hash: CB319E7100C3459BC712EF64C8969BFB7A8BEA1304F804A2DF4D5971A1EF20AA09D767

Function 003CE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 003CE645

Strings

1#INF, xrefs: 003CF852
1#IND, xrefs: 003CF83D
1#SNAN, xrefs: 003CF844
1#QNAN, xrefs: 003CF84B

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: ad6dd2d825ece87d331aa7660e818aa1d0ea71e78494bb64079fef6a2513dfd0
Instruction ID: 60dd4737a1e842109b3aa532779b10d71bf329f9bf531aa4d5cd532cc1e52b5e
Opcode Fuzzy Hash: ad6dd2d825ece87d331aa7660e818aa1d0ea71e78494bb64079fef6a2513dfd0
Instruction Fuzzy Hash: 36C22C72E046288FDB26CE28DD40BEAB7BAEB45305F1541EED44DE7241E775AE818F40

Function 0040648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 004064DC
CoInitialize.OLE32(00000000), ref: 00406639
CoCreateInstance.OLE32(0042FCF8,00000000,00000001,0042FB68,?), ref: 00406650
CoUninitialize.OLE32 ref: 004068D4

Strings

.lnk, xrefs: 004064BA, 00406524, 004065E0

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 0363b0c8a88584778ece96c0c9457e2a58e5aff12df31fb45dbeffbaf9084e0d
Instruction ID: a1ae53130ea66287cd2cdf81698c613b612c0591c5d786a9eb6a2d5c1dcfe5b9
Opcode Fuzzy Hash: 0363b0c8a88584778ece96c0c9457e2a58e5aff12df31fb45dbeffbaf9084e0d
Instruction Fuzzy Hash: C7D16A71508201AFC715EF24C881E6BB7E8FF94704F50496EF5969B291EB70ED09CB92

Function 004122DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 004122E8

Part of subcall function 0040E4EC: GetWindowRect.USER32(?,?), ref: 0040E504

GetDesktopWindow.USER32 ref: 00412312
GetWindowRect.USER32(00000000), ref: 00412319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00412355
GetCursorPos.USER32(?), ref: 00412381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 004123DF

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 6da6dfd4aaf476f0e4e305631492488b8577ef579c1313b60cff4275f257af9c
Instruction ID: 152ba1297c6e34669a0cf5c4eae08ee6107d9aca3da7aebdabdbcd611f8abec9
Opcode Fuzzy Hash: 6da6dfd4aaf476f0e4e305631492488b8577ef579c1313b60cff4275f257af9c
Instruction Fuzzy Hash: BF310272204319AFC720DF24C844B9BB7A9FF84310F00092AF994D7291DB78EA59CB96

Function 00409B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00399CB3: _wcslen.LIBCMT ref: 00399CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00409B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00409C8B

Part of subcall function 00403874: GetInputState.USER32 ref: 004038CB
Part of subcall function 00403874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00403966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00409BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00409C75

Strings

*.*, xrefs: 00409B5D

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 14535953392595bb0528f9433e1f86bc56938b8d51432f4969c87dd785b006bb
Instruction ID: 6e277b9c1a0d2a0d36ae2b8dd6183a7cc8acab9df766cf70fdc1da9c50200b1d
Opcode Fuzzy Hash: 14535953392595bb0528f9433e1f86bc56938b8d51432f4969c87dd785b006bb
Instruction Fuzzy Hash: C7417E71D4420A9FDF15DF64C889AEE7BB8EF05310F20416AE805B6292EB349E45CF68

Function 003A997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 003A9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 003A9BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 003A9A4E
GetSysColor.USER32(0000000F), ref: 003A9B23
SetBkColor.GDI32(?,00000000), ref: 003A9B36

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 77e885983974c403d8b1b771c9812a93045526bbe3593adc0e2372dbdeb977e6
Instruction ID: 1450b4fea81b65a980a9d40efa1d4c16058f6c2cdd35973eefafc31ff3d7d118
Opcode Fuzzy Hash: 77e885983974c403d8b1b771c9812a93045526bbe3593adc0e2372dbdeb977e6
Instruction Fuzzy Hash: 48A13C70208464BEE727AA3E9C88F7B269DDB43344F16431FF502E69D1CA259D01D27A

Function 00411806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0041304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0041307A
Part of subcall function 0041304E: _wcslen.LIBCMT ref: 0041309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0041185D
WSAGetLastError.WSOCK32 ref: 00411884
bind.WSOCK32(00000000,?,00000010), ref: 004118DB
WSAGetLastError.WSOCK32 ref: 004118E6
closesocket.WSOCK32(00000000), ref: 00411915

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: baf33a79897eb22885f3b629118bc6972493d1a54e6c7767a6553a248bdf19c1
Instruction ID: 18f0e62f88747612f12c185e108e534558b49ed6f1841fbcdaec0f9154bedbc3
Opcode Fuzzy Hash: baf33a79897eb22885f3b629118bc6972493d1a54e6c7767a6553a248bdf19c1
Instruction Fuzzy Hash: E051D371A00200AFEB11AF24C886F6A77E5AB49718F44C05DFA0A5F3D3D775AD42CBA1

Function 00421C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00421CC0
IsWindowEnabled.USER32 ref: 00421CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00421CDB
IsIconic.USER32 ref: 00421CE9
IsZoomed.USER32 ref: 00421CF7

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 709d48ae97dbba24967e81312ddfa21ef292be4b98494d191dc8391d0fb0ce4e
Instruction ID: d3b567c7b32b5ea00cb2710391e87bf07adb2e8d19e99325bcd5121358a2dbc2
Opcode Fuzzy Hash: 709d48ae97dbba24967e81312ddfa21ef292be4b98494d191dc8391d0fb0ce4e
Instruction Fuzzy Hash: 8421D8357401205FE7218F17E884B2B7BA5EFA5314F99806AE446CB361C775EC42CB98

Function 00398060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 003983FA
ERCP, xrefs: 0039813C
VUUU, xrefs: 003983E8
VUUU, xrefs: 0039843C
VUUU, xrefs: 003D5DF0

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: ee3f74c01ce82c003f20d6629249d3b6b2ddd80052a14b8abaae48a762e59a6b
Instruction ID: cb9d3004e8f58c6671d9e4ee458a01e2636b91231c3c3a7df5b40f8fc41ec0bb
Opcode Fuzzy Hash: ee3f74c01ce82c003f20d6629249d3b6b2ddd80052a14b8abaae48a762e59a6b
Instruction Fuzzy Hash: D0A2C376E0061ACBDF26CF58D8417AEB7B1BF95310F2585AAD815AB381DB309D81CF90

Function 003F8298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 003F82AA

Strings

|, xrefs: 003F82DA
tbE, xrefs: 003F84F4
(, xrefs: 003F82F0

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($tbE$|
API String ID: 1659193697-3195274680
Opcode ID: 7e8523e7ae5f0931f2bac0fb4810ff503d068a7a979aeea372bbefe89b0336ef
Instruction ID: 1c0a5c01828149e2d977b510c5101e6f4072d93b4494601100bc668287bb7ef1
Opcode Fuzzy Hash: 7e8523e7ae5f0931f2bac0fb4810ff503d068a7a979aeea372bbefe89b0336ef
Instruction Fuzzy Hash: AD324579A007099FCB29CF59C081A6AB7F0FF48710B15C56EE59ADB7A1EB70E941CB40

Function 003FAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 003FAAAC
SetKeyboardState.USER32(00000080), ref: 003FAAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 003FAB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 003FAB88

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 192be2bf8a00439ba6bcbb9daf1ab66ebdd0c9e7aff8f740ad08c32bc4f85d89
Instruction ID: 957a5efa1e4367382101b7582d6bd68dfa0e92edbecd0424a969dd28968847c7
Opcode Fuzzy Hash: 192be2bf8a00439ba6bcbb9daf1ab66ebdd0c9e7aff8f740ad08c32bc4f85d89
Instruction Fuzzy Hash: 9F311AB0A40A0CAEFF368B64CC05BFA77AAAF44310F04421AF289561D0D3748D85C7A6

Function 0040CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0040CE89
GetLastError.KERNEL32(?,00000000), ref: 0040CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0040CEFE

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 5dafa1ed734bc429cb443d3306e37cae404021a9390cea4f3aca3c055db2e846
Instruction ID: e78b568248ebe46d9193281a570f24f8bd045fec3ab3e622d0706265f7547958
Opcode Fuzzy Hash: 5dafa1ed734bc429cb443d3306e37cae404021a9390cea4f3aca3c055db2e846
Instruction Fuzzy Hash: 4921AE71500705DBD730CF65C984BAB77F8EB50318F20452AE646E2291E778ED058BA8

Function 00405C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00405CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00405D17
FindClose.KERNEL32(?), ref: 00405D5F

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: b2c582b6f09b326bf9da968e537a66a6237d777faf82636c2a1fa857ee4e4477
Instruction ID: 7987a9b22d3b5a79d7e948294d0c1a6c4b21cf8f6fdf1b708f64b5e73feb4e24
Opcode Fuzzy Hash: b2c582b6f09b326bf9da968e537a66a6237d777faf82636c2a1fa857ee4e4477
Instruction Fuzzy Hash: 4751B835604A019FC714CF28C494E9AB7E4FF4A324F14856EE99A8B3A2DB34ED05CF95

Function 003C2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 003C271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 003C2724
UnhandledExceptionFilter.KERNEL32(?), ref: 003C2731

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: b15577cb3baa0b228329f03ffce0bb5f7bf02e9524b7605fd7b2a2632694af5d
Instruction ID: 8fd112d12474427d0d7933b17fe019167669fdfd0c04b1cc36f561f990803a85
Opcode Fuzzy Hash: b15577cb3baa0b228329f03ffce0bb5f7bf02e9524b7605fd7b2a2632694af5d
Instruction Fuzzy Hash: 8D31B5749113189BCB22DF64DC89BDDB7B8AF08350F5045EAE91CA7261E7709F818F45

Function 004051CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 004051DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00405238
SetErrorMode.KERNEL32(00000000), ref: 004052A1

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: f51b0f0f3aecf55e484a30e8427898977881621a76272521eeb455e488dffbad
Instruction ID: 7b54ac25d800e1398b8e6e57a75a249bdad2fbf1d35d42f4199b12f83f7a8e16
Opcode Fuzzy Hash: f51b0f0f3aecf55e484a30e8427898977881621a76272521eeb455e488dffbad
Instruction Fuzzy Hash: 89315A35A005089FDB00DF54D885EAEBBB4FF09314F4480A9E805AB3A2DB35E856CF90

Function 003F16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 003AFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 003B0668
Part of subcall function 003AFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 003B0685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 003F170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 003F173A
GetLastError.KERNEL32 ref: 003F174A

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 23457edce7a1daf10bfeb0dd5c66ed275a5694e1f1b8ec5abf742c57d68fffd6
Instruction ID: ee49f65b30c638309218763b7a652525ac7b9672f38a8dde7c0198c59649b380
Opcode Fuzzy Hash: 23457edce7a1daf10bfeb0dd5c66ed275a5694e1f1b8ec5abf742c57d68fffd6
Instruction Fuzzy Hash: 5811C1B2500308EFE729AF94ECC6D6AB7BDEF04714B20852EE45657241EB70BC428A64

Function 003FD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 003FD608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 003FD645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 003FD650

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 6651bbe72a5447460894355aa6ee7ebaaab225e4f36d84138cfd9b3231cfb40a
Instruction ID: ea3ac7f5f6f2c6065b4138b54b4c5a7f31b6167f31cae07aed9878f6904c8866
Opcode Fuzzy Hash: 6651bbe72a5447460894355aa6ee7ebaaab225e4f36d84138cfd9b3231cfb40a
Instruction Fuzzy Hash: 2011A171E01228BFDB218F94DC89FAFBFBCEB45B60F108121F904E7290C6704A018BA1

Function 003F1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 003F168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 003F16A1
FreeSid.ADVAPI32(?), ref: 003F16B1

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 9e99cd76de685d2c2c2a158f9e1fb7c336fc8a71041bd4353dd29d5cc8c6ba13
Instruction ID: 79915c43fe1ad2063fb66129e0ed6de649593627075735263e337b87eba360e5
Opcode Fuzzy Hash: 9e99cd76de685d2c2c2a158f9e1fb7c336fc8a71041bd4353dd29d5cc8c6ba13
Instruction Fuzzy Hash: 4AF0F471A5030DFBDB00DFE49C89EAEBBBCFB08644F504565E901E2181E774AA448A54

Function 003CC2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 003CC36C

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 193519e82cd86bdd173f5224f5b9bd37a5ae7748e31aac9cd5189910e10e1015
Instruction ID: 6cb9840b3c82b2618dd4cc4e97c763a7b7d2af454e1f4dc3eb3ac1774015fe67
Opcode Fuzzy Hash: 193519e82cd86bdd173f5224f5b9bd37a5ae7748e31aac9cd5189910e10e1015
Instruction Fuzzy Hash: A0413676900218AFCB259FB9DC88EAB77B8EB84314F10866DF909CB180E6309D81CB50

Function 003ED27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 003ED28C

Strings

X64, xrefs: 003ED2A8

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 6d8690853c5d4e2d9358caf1dab62f567893ac5a4027f042814f2b136f3c3579
Instruction ID: 60fe3efc0f46e7b6160a406fa4553f8bd4ff2592eb4f0c5460917b77b18cfd5e
Opcode Fuzzy Hash: 6d8690853c5d4e2d9358caf1dab62f567893ac5a4027f042814f2b136f3c3579
Instruction Fuzzy Hash: 37D0CAB480112DEACBA1CBA0ECC8DDEB3BCBB04305F1006A2F206A2840DB3096498F20

Function 003BCAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: be3183be315a03af8cc7958f3e710cae09886d19e512c839d00cc68dcd919a75
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 07021C71E101199BDF25CFA9C8806EEFBF1EF88314F25416AD919EB784D730AE418B90

Function 0039CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 003E0C40
p#F, xrefs: 0039CF7F

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#F
API String ID: 0-3463205768
Opcode ID: 3b166f08548572aac2768d932b25a6a08fb952e365f9af28b620d67641b08d38
Instruction ID: 0e3e7750e93bc827d6debd221c1b0b03b4f28b10f6cfa569af6005d98dec1c16
Opcode Fuzzy Hash: 3b166f08548572aac2768d932b25a6a08fb952e365f9af28b620d67641b08d38
Instruction Fuzzy Hash: AC32BD70910218DBDF1ADF94C994BEDB7B9FF05304F244169E806AF282D775AE86CB60

Function 004068EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00406918
FindClose.KERNEL32(00000000), ref: 00406961

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: e67692b8f068c4b6d2f5a0cab2676340fb01dc22572592f4e4336c15a71cf982
Instruction ID: 2ff4472613b0c78ebd732283808ba41deed15f89b84bd02655cf2aa23675815d
Opcode Fuzzy Hash: e67692b8f068c4b6d2f5a0cab2676340fb01dc22572592f4e4336c15a71cf982
Instruction Fuzzy Hash: 1A11D3716142009FD710DF29C484A16BBE1FF85328F45C6A9F46A9F7A2CB34EC05CB91

Function 004037B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00414891,?,?,00000035,?), ref: 004037E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00414891,?,?,00000035,?), ref: 004037F4

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 0fe5f2574485ed813460f50f55695ad48ec64a13fa8720e09bac9078820aec1e
Instruction ID: 4f644ec17c2437130e190fe515463119ffe17541c6f6e4ff94bf6cad70ef9db1
Opcode Fuzzy Hash: 0fe5f2574485ed813460f50f55695ad48ec64a13fa8720e09bac9078820aec1e
Instruction Fuzzy Hash: C3F0EC717042156AE72057659C4DFDB7A5DDFC4761F000276F505E32C5D9705905C6F4

Function 003FB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 003FB25D
keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 003FB270

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: f712256743baf68518cc2d33373a1f567ab24e086129aba6364d8c4f63c4bee3
Instruction ID: 3b8aee2ad40917629c5890876b570cd32a99f5284b4b296355831f343041b46c
Opcode Fuzzy Hash: f712256743baf68518cc2d33373a1f567ab24e086129aba6364d8c4f63c4bee3
Instruction Fuzzy Hash: 74F01D7190424EABDF159FA0C805BBEBBB4FF04305F108419F955A5191C379C6119F94

Function 003F10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,003F11FC), ref: 003F10D4
CloseHandle.KERNEL32(?,?,003F11FC), ref: 003F10E9

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: d689a28bb3caea7b36d7046be746dbdfa06261a31942802a8cd5dc56196dd804
Instruction ID: e2a7bd49ae458b02276cc08a74a57cbfd52886e473225617fc7f24a3cd6a141a
Opcode Fuzzy Hash: d689a28bb3caea7b36d7046be746dbdfa06261a31942802a8cd5dc56196dd804
Instruction Fuzzy Hash: E3E04F32004600EEE7362B61FC09E77B7E9EB04320B20882DF5A5844B5DB626CA1DB54

Function 003C676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,003C6766,?,?,00000008,?,?,003CFEFE,00000000), ref: 003C6998

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: d6646f4cba1569595b8a659961fe58492222778b6b0f6afa5dd000be8b85736d
Instruction ID: 7b703323f66f99ed0fb4986c170a046f5f270173c987337c44355d163c398dbf
Opcode Fuzzy Hash: d6646f4cba1569595b8a659961fe58492222778b6b0f6afa5dd000be8b85736d
Instruction Fuzzy Hash: 22B128756106089FD71ACF28C48AB657BE0FF45364F26865CE89ACF2A2C735ED91CB40

Function 003AB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 003E851F

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 33a9db44cf0d9c7396e613250aca7184b5c4ddce8eb0081002b3137bdafd34eb
Instruction ID: c6e192a7a211a74ee633aa32407297c4ec3f64fecbb8ef768988bbd88c159a8c
Opcode Fuzzy Hash: 33a9db44cf0d9c7396e613250aca7184b5c4ddce8eb0081002b3137bdafd34eb
Instruction Fuzzy Hash: 88126075D002299FCB15CF59C8806EEB7B5FF49310F1581AAE849EB296DB349E81CF90

Function 0040EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0040EABD

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 11ae598770346e5e1efc8964c9b3916e2b63f70600e53e24a33710504eccd1e6
Instruction ID: e69a779e7f165396b43fefa080ea7e1d3d86d132956501a2f2a615a2c99f20cf
Opcode Fuzzy Hash: 11ae598770346e5e1efc8964c9b3916e2b63f70600e53e24a33710504eccd1e6
Instruction Fuzzy Hash: F9E04F323102049FD710EF5AD844E9AF7E9AF98760F008426FC4ADB3A1DB74E8418BA5

Function 003B09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,003B03EE), ref: 003B09DA

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 663ae49a577e1a03c5dfa55036ccea180dd051cc3056c6a893c6b545c8dac183
Instruction ID: 5aae7f265c6fd9fb8449e0b6d339ef9b839297f502fbccafe6c042a761df2bb2
Opcode Fuzzy Hash: 663ae49a577e1a03c5dfa55036ccea180dd051cc3056c6a893c6b545c8dac183
Instruction Fuzzy Hash:

Function 003B781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 003B798B

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: a6c4dc701fbd7cc45f5869b15b1549568c033ee4840f60477851f7b86c2d452e
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: D451346160C7095ADB3B8A68885BBFE3399DBC234CF190509DB82DBE82CB15DE01D356

Function 00402046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&F, xrefs: 00402053

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID:
String ID: 0&F
API String ID: 0-2269862659
Opcode ID: 2e160b737351e63042727db8dd20c84c6daa8d1280415743fcdeb01403c1b17a
Instruction ID: 1b1e932d39cd1c99190cfee6cc54c2ec3d1249c98e25c441b8230710b4a006dc
Opcode Fuzzy Hash: 2e160b737351e63042727db8dd20c84c6daa8d1280415743fcdeb01403c1b17a
Instruction Fuzzy Hash: 9021D5326206118BD728CE79C92267E73E5A754310F14863EE4A7D37D0DEB9A904CB84

Function 003C6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebc097acdb906e979201c6a0597acede944f6a2a44adc231e0a8b7a159fd75b0
Instruction ID: 77ccd96c65af7bbf69e5b8b9831bd5987e9e85e759fd46401e49fb954b223cad
Opcode Fuzzy Hash: ebc097acdb906e979201c6a0597acede944f6a2a44adc231e0a8b7a159fd75b0
Instruction Fuzzy Hash: 78323132D29F014DD7239634DD22336A64DAFB73C5F15E73BE81AB59A5EB28C8834600

Function 003ACC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d5801cd0ae68f7af17b8aeb58c2842edc2b12c657908184f987ca3486f4dea0
Instruction ID: 1a9fe2616b1513f841752ca04170d39cdbbd3505d169d56ef545ec065f319526
Opcode Fuzzy Hash: 2d5801cd0ae68f7af17b8aeb58c2842edc2b12c657908184f987ca3486f4dea0
Instruction Fuzzy Hash: 88323B31A241A58FDF27CF2AC49467D77A1EB46310F2AA666D8498B6D2D330DD83DB40

Function 00397920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e1340d675a42ea9c24fccef568c3ff442b619296cde27a9e6ee0652a45ffdb8
Instruction ID: 028bda9c516d7027ba0b7db31d1eecaa6a0f79f246c59240a45c995b51bfdf75
Opcode Fuzzy Hash: 1e1340d675a42ea9c24fccef568c3ff442b619296cde27a9e6ee0652a45ffdb8
Instruction Fuzzy Hash: 1122B071A04609DFDF16CFA9D881AAEB7B6FF44300F10452AE812AB791EB35ED15CB50

Function 003991C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b5d1eed88be45535d4c571782203a9ca297353c54f600e5e7a8e37a173c1a60
Instruction ID: f6ba2edf0395d3d4ad76b9f9cc30cd692a2645b03825fa4a88bb550b06644001
Opcode Fuzzy Hash: 4b5d1eed88be45535d4c571782203a9ca297353c54f600e5e7a8e37a173c1a60
Instruction Fuzzy Hash: A902A6B1A10209EFDF06DF54D881AADBBB5FF44304F11816AE8169F391EB31EA11CB95

Function 003C9EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3bbd790dd8109446e1236b938f32cf8c4206baf358bbaf1797a47ad5be4f11d
Instruction ID: ff95d3732c07b89c79b54278e05d29bdc517549138dfed92160784198e8991c7
Opcode Fuzzy Hash: a3bbd790dd8109446e1236b938f32cf8c4206baf358bbaf1797a47ad5be4f11d
Instruction Fuzzy Hash: 8DB10520D2AF404DD3239A398831336B75CAFBB6D6F51E72BFC1674D22EB2285834244

Function 003B1C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 432636ba3299227608b76b6df791e68c5d495c1be8337ce9670010f9c8e7b4c8
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: D49197322080E34ADB6B463E85740BEFFE15A923A535B079DD5F2CB9C5FE20C964D620

Function 003B19B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 4ab753ab597950061375fc4708cfac643da1296542d59a0278337487bd8e5013
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: C791B5322090E34ADB2F827E84740BEFFE15A923A935B079DD5F2CA9C5FE14D564D620

Function 003B7A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db2c70fa6e83d1e6b4d6695330cf7dc930e3ce3be7b57b3d5837f7de05511be8
Instruction ID: 43fd00d4c0126e85af8fa9d5c9bf2fa4c30e2c161562a6f3810fc0cc8d69e2d5
Opcode Fuzzy Hash: db2c70fa6e83d1e6b4d6695330cf7dc930e3ce3be7b57b3d5837f7de05511be8
Instruction Fuzzy Hash: B961562170834966DA7BDA288895BFE2398DFC170CF11091AEB42DFFC1DA119E42CB55

Function 003B7CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef016a17f75a618b35a6e90d00676b2e5621bbd715c662c4904d9be318d23757
Instruction ID: f35688ecdaf0aa07fee4ea8ad4b134a49eed7abafcac15d9850414a8931e1e37
Opcode Fuzzy Hash: ef016a17f75a618b35a6e90d00676b2e5621bbd715c662c4904d9be318d23757
Instruction Fuzzy Hash: 3461477160870966DA3B5A2888A6BFE239CDFC278CF11095DEB43DFE81DA12DD42C355

Function 003B1706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: fbac8c88c32ab14c05abcd8cd86a3a4725d0db8982a30a077d3092be5cef8f4f
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 238198336080E349DB6F423985350BEFFE16A923A935B079DD5F2CB9C1EE14C654E660

Function 00412ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00412B30
DeleteObject.GDI32(00000000), ref: 00412B43
DestroyWindow.USER32 ref: 00412B52
GetDesktopWindow.USER32 ref: 00412B6D
GetWindowRect.USER32(00000000), ref: 00412B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00412CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00412CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00412CF8
GetClientRect.USER32(00000000,?), ref: 00412D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00412D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00412D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00412D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00412D80
GlobalLock.KERNEL32(00000000), ref: 00412D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00412D98
GlobalUnlock.KERNEL32(00000000), ref: 00412DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00412DA8
GlobalFree.KERNEL32(00000000), ref: 00412DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00412DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0042FC38,00000000), ref: 00412DDB
GlobalFree.KERNEL32(00000000), ref: 00412DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00412E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00412E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00412E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0041303F

Strings

static, xrefs: 00412D3A, 00412E91
AutoIt v3, xrefs: 00412CF2
, xrefs: 00412FC5
DISPLAY, xrefs: 00412EA2

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: d6e5cfe2a51f4ce69c810626151c43d9bfee92a99afb752f0e6cf5c1f45dd8d0
Instruction ID: 2f44bd1a6b7b8093f3f090090edcef0cecd89f3e6e6887487fbc91e807ff6402
Opcode Fuzzy Hash: d6e5cfe2a51f4ce69c810626151c43d9bfee92a99afb752f0e6cf5c1f45dd8d0
Instruction Fuzzy Hash: 57028D71A00204EFDB14DF64CD89EAE7BB9EF49310F048159F915AB2A1DB74ED41CB68

Function 004270D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0042712F
GetSysColorBrush.USER32(0000000F), ref: 00427160
GetSysColor.USER32(0000000F), ref: 0042716C
SetBkColor.GDI32(?,000000FF), ref: 00427186
SelectObject.GDI32(?,?), ref: 00427195
InflateRect.USER32(?,000000FF,000000FF), ref: 004271C0
GetSysColor.USER32(00000010), ref: 004271C8
CreateSolidBrush.GDI32(00000000), ref: 004271CF
FrameRect.USER32(?,?,00000000), ref: 004271DE
DeleteObject.GDI32(00000000), ref: 004271E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00427230
FillRect.USER32(?,?,?), ref: 00427262
GetWindowLongW.USER32(?,000000F0), ref: 00427284

Part of subcall function 004273E8: GetSysColor.USER32(00000012), ref: 00427421
Part of subcall function 004273E8: SetTextColor.GDI32(?,?), ref: 00427425
Part of subcall function 004273E8: GetSysColorBrush.USER32(0000000F), ref: 0042743B
Part of subcall function 004273E8: GetSysColor.USER32(0000000F), ref: 00427446
Part of subcall function 004273E8: GetSysColor.USER32(00000011), ref: 00427463
Part of subcall function 004273E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00427471
Part of subcall function 004273E8: SelectObject.GDI32(?,00000000), ref: 00427482
Part of subcall function 004273E8: SetBkColor.GDI32(?,00000000), ref: 0042748B
Part of subcall function 004273E8: SelectObject.GDI32(?,?), ref: 00427498
Part of subcall function 004273E8: InflateRect.USER32(?,000000FF,000000FF), ref: 004274B7
Part of subcall function 004273E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004274CE
Part of subcall function 004273E8: GetWindowLongW.USER32(00000000,000000F0), ref: 004274DB

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: a33ea8ee14024703f3e0918fddee15f047fef57b7a5ab5531ce0789ee1bf409d
Instruction ID: da8f87e1536f4a9c9c5d2f1806866932fc62cb852f4fbc653e1d811bab6aeedd
Opcode Fuzzy Hash: a33ea8ee14024703f3e0918fddee15f047fef57b7a5ab5531ce0789ee1bf409d
Instruction Fuzzy Hash: 52A1A372208321FFD7109F60DC88A6F7BA9FF49320F900A29F962961E1D774D945CB56

Function 003A8D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 003A8E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 003E6AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 003E6AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 003E6F43

Part of subcall function 003A8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,003A8BE8,?,00000000,?,?,?,?,003A8BBA,00000000,?), ref: 003A8FC5

SendMessageW.USER32(?,00001053), ref: 003E6F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 003E6F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 003E6FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 003E6FB7

Strings

0, xrefs: 003E6DCF

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: be27f73829e67711a47b803ab343acd09521c58b070caf0e88931844d6abe08d
Instruction ID: 27fd282267e1f257f2b3eb580bdc4d6760e207267cd0ab4449944803188f6b5e
Opcode Fuzzy Hash: be27f73829e67711a47b803ab343acd09521c58b070caf0e88931844d6abe08d
Instruction Fuzzy Hash: 0112DD302002A1EFCB26CF15C885BAAB7E5FF65340F594669E485CB6A1CB31EC52CF95

Function 00412711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0041273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0041286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 004128A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 004128B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00412900
GetClientRect.USER32(00000000,?), ref: 0041290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00412955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00412964
GetStockObject.GDI32(00000011), ref: 00412974
SelectObject.GDI32(00000000,00000000), ref: 00412978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00412988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00412991
DeleteDC.GDI32(00000000), ref: 0041299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004129C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 004129DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00412A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00412A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00412A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00412A77
GetStockObject.GDI32(00000011), ref: 00412A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00412A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00412A97

Strings

msctls_progress32, xrefs: 00412A13
static, xrefs: 0041294F, 00412A71
AutoIt v3, xrefs: 004128F8
DISPLAY, xrefs: 0041295A

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: e61f34877e57f2b6e9785f1f1f5f510e3bf38ce8ef0b44294c1efb1b818f637a
Instruction ID: 9eab6f80de9b86a1d79d60198747191388c3aed990be65bab86c2825ecc40e11
Opcode Fuzzy Hash: e61f34877e57f2b6e9785f1f1f5f510e3bf38ce8ef0b44294c1efb1b818f637a
Instruction Fuzzy Hash: 4FB15D71A00215AFEB24DF68DD86FAF7BA9EB08710F104115F915EB2A0D7B4ED41CB98

Function 00404ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00404AED
GetDriveTypeW.KERNEL32(?,0042CB68,?,\\.\,0042CC08), ref: 00404BCA
SetErrorMode.KERNEL32(00000000,0042CB68,?,\\.\,0042CC08), ref: 00404D36

Strings

SSD, xrefs: 00404C4A
Removable, xrefs: 00404C10, 00404C15
SCSI, xrefs: 00404C8A
ATAPI, xrefs: 00404C91
Virtual, xrefs: 00404CE5
FileBackedVirtual, xrefs: 00404CEC
SAS, xrefs: 00404CC9
SATA, xrefs: 00404CD0
SSA, xrefs: 00404CA6
RAID, xrefs: 00404CBB
1394, xrefs: 00404C9F
Fixed, xrefs: 00404C09
\\.\, xrefs: 00404B3F
Network, xrefs: 00404C02
RAMDisk, xrefs: 00404BF4
PhysicalDrive, xrefs: 00404B76
USB, xrefs: 00404CB4
Fibre, xrefs: 00404CAD
Unknown, xrefs: 00404BED, 00404C83
CDROM, xrefs: 00404BFB
ATA, xrefs: 00404C98
iSCSI, xrefs: 00404CC2
MMC, xrefs: 00404CDE

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 472881cb519fda40906c605a538434a470651b15b4173f50b6c05116df89ee34
Instruction ID: 2b741dcbe6d15dce1659f3ba6e3bc557c1d638cb089e129c6145362a4bba42ed
Opcode Fuzzy Hash: 472881cb519fda40906c605a538434a470651b15b4173f50b6c05116df89ee34
Instruction Fuzzy Hash: 7961E7B0609105DBDB05DF14CA81A7D7770AB84301B664437FA06BB2D2CB3DED4AEB5A

Function 004273E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00427421
SetTextColor.GDI32(?,?), ref: 00427425
GetSysColorBrush.USER32(0000000F), ref: 0042743B
GetSysColor.USER32(0000000F), ref: 00427446
CreateSolidBrush.GDI32(?), ref: 0042744B
GetSysColor.USER32(00000011), ref: 00427463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00427471
SelectObject.GDI32(?,00000000), ref: 00427482
SetBkColor.GDI32(?,00000000), ref: 0042748B
SelectObject.GDI32(?,?), ref: 00427498
InflateRect.USER32(?,000000FF,000000FF), ref: 004274B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004274CE
GetWindowLongW.USER32(00000000,000000F0), ref: 004274DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0042752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00427554
InflateRect.USER32(?,000000FD,000000FD), ref: 00427572
DrawFocusRect.USER32(?,?), ref: 0042757D
GetSysColor.USER32(00000011), ref: 0042758E
SetTextColor.GDI32(?,00000000), ref: 00427596
DrawTextW.USER32(?,004270F5,000000FF,?,00000000), ref: 004275A8
SelectObject.GDI32(?,?), ref: 004275BF
DeleteObject.GDI32(?), ref: 004275CA
SelectObject.GDI32(?,?), ref: 004275D0
DeleteObject.GDI32(?), ref: 004275D5
SetTextColor.GDI32(?,?), ref: 004275DB
SetBkColor.GDI32(?,?), ref: 004275E5

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 20387947d9ac15296bef8d0342e047c716b11a377a18e32ca937c6bbd693803a
Instruction ID: d5c4e7ad29dc5f69962fda7834b37824f2bada427f3b45e07e1756bec8c4558b
Opcode Fuzzy Hash: 20387947d9ac15296bef8d0342e047c716b11a377a18e32ca937c6bbd693803a
Instruction Fuzzy Hash: 27617271A00228BFDF119FA4DC89EAEBF79EF08320F504125F911AB2A1D7749941CF94

Function 00420FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00421128
GetDesktopWindow.USER32 ref: 0042113D
GetWindowRect.USER32(00000000), ref: 00421144
GetWindowLongW.USER32(?,000000F0), ref: 00421199
DestroyWindow.USER32(?), ref: 004211B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 004211ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0042120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0042121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00421232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00421245
IsWindowVisible.USER32(00000000), ref: 004212A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 004212BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 004212D0
GetWindowRect.USER32(00000000,?), ref: 004212E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0042130E
GetMonitorInfoW.USER32(00000000,?), ref: 00421328
CopyRect.USER32(?,?), ref: 0042133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 004213AA

Strings

0, xrefs: 004210D3
(, xrefs: 0042131B
tooltips_class32, xrefs: 004211E6

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: e70ccdb7201351cb996070d7648c744a7636be8dcabc002b6df5e45cee212088
Instruction ID: 99d43754d1dcfa72565af03eb9ada826b3ca192e644accfca386acac91a6a1eb
Opcode Fuzzy Hash: e70ccdb7201351cb996070d7648c744a7636be8dcabc002b6df5e45cee212088
Instruction Fuzzy Hash: B5B1AA71604350AFDB10DF24D884B6FBBE5FF98340F408919F9899B2A1C735E845CB9A

Function 00420241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 004202E5
_wcslen.LIBCMT ref: 0042031F
_wcslen.LIBCMT ref: 00420389
_wcslen.LIBCMT ref: 004203F1
_wcslen.LIBCMT ref: 00420475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 004204C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00420504

Part of subcall function 003AF9F2: _wcslen.LIBCMT ref: 003AF9FD

Part of subcall function 003F223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 003F2258
Part of subcall function 003F223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 003F228A

Strings

GETITEMCOUNT, xrefs: 00420316, 00420337
GETTEXT, xrefs: 004203EC, 00420407
GETSELECTEDCOUNT, xrefs: 00420470, 0042048B
GETSELECTED, xrefs: 004205E1
SELECT, xrefs: 00420548
FINDITEM, xrefs: 00420627
SELECTCLEAR, xrefs: 0042052D
SELECTINVERT, xrefs: 0042057E
VIEWCHANGE, xrefs: 00420675
ISSELECTED, xrefs: 004204DD
SELECTALL, xrefs: 00420515
DESELECT, xrefs: 0042059C
GETSUBITEMCOUNT, xrefs: 00420384, 0042039F

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 80604ef060d32b7c1598992d03de4a0889f10b3480b5d14797da559053aec234
Instruction ID: d9d77e4154c345b72fc25af9e4699a53f6be38f44b0a0e587dab1dd77e8b8b74
Opcode Fuzzy Hash: 80604ef060d32b7c1598992d03de4a0889f10b3480b5d14797da559053aec234
Instruction Fuzzy Hash: 5EE1C1313082119FCB15EF24D55092BB3E1FF89314B94856EF8969B3A2DB38ED46CB46

Function 003A8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 003A8968
GetSystemMetrics.USER32(00000007), ref: 003A8970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 003A899B
GetSystemMetrics.USER32(00000008), ref: 003A89A3
GetSystemMetrics.USER32(00000004), ref: 003A89C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 003A89E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 003A89F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 003A8A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 003A8A3C
GetClientRect.USER32(00000000,000000FF), ref: 003A8A5A
GetStockObject.GDI32(00000011), ref: 003A8A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 003A8A81

Part of subcall function 003A912D: GetCursorPos.USER32(?), ref: 003A9141
Part of subcall function 003A912D: ScreenToClient.USER32(00000000,?), ref: 003A915E
Part of subcall function 003A912D: GetAsyncKeyState.USER32(00000001), ref: 003A9183
Part of subcall function 003A912D: GetAsyncKeyState.USER32(00000002), ref: 003A919D

SetTimer.USER32(00000000,00000000,00000028,003A90FC), ref: 003A8AA8

Strings

AutoIt v3 GUI, xrefs: 003A8A20

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: de898aea0b2fd0b44168b101f01ba35222d45acc48495cde8881b4f66429f1f2
Instruction ID: 3593cd9bf0e54d4ffb3e1a8167efe2345068b87c13f0efc04d3e26644445e0d0
Opcode Fuzzy Hash: de898aea0b2fd0b44168b101f01ba35222d45acc48495cde8881b4f66429f1f2
Instruction Fuzzy Hash: 4EB19F71A00219AFDB15DF68CC85BAE3BB4FB48314F154229FA15E72D0DB74E841CB55

Function 003F0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 003F10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 003F1114
Part of subcall function 003F10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,003F0B9B,?,?,?), ref: 003F1120
Part of subcall function 003F10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,003F0B9B,?,?,?), ref: 003F112F
Part of subcall function 003F10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,003F0B9B,?,?,?), ref: 003F1136
Part of subcall function 003F10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 003F114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 003F0DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 003F0E29
GetLengthSid.ADVAPI32(?), ref: 003F0E40
GetAce.ADVAPI32(?,00000000,?), ref: 003F0E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 003F0E96
GetLengthSid.ADVAPI32(?), ref: 003F0EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 003F0EB5
HeapAlloc.KERNEL32(00000000), ref: 003F0EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 003F0EDD
CopySid.ADVAPI32(00000000), ref: 003F0EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 003F0F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 003F0F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 003F0F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 003F0F6E
HeapFree.KERNEL32(00000000), ref: 003F0F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 003F0F7E
HeapFree.KERNEL32(00000000), ref: 003F0F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 003F0F8E
HeapFree.KERNEL32(00000000), ref: 003F0F95
GetProcessHeap.KERNEL32(00000000,?), ref: 003F0FA1
HeapFree.KERNEL32(00000000), ref: 003F0FA8

Part of subcall function 003F1193: GetProcessHeap.KERNEL32(00000008,003F0BB1,?,00000000,?,003F0BB1,?), ref: 003F11A1
Part of subcall function 003F1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,003F0BB1,?), ref: 003F11A8
Part of subcall function 003F1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,003F0BB1,?), ref: 003F11B7

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 9ba99a05370e05e61fb7ea3afc48015f114f70a85f476aa6dc6d5b5059ef88c0
Instruction ID: 8cce0c485a59587aa4622e1ffc9941515c7b451c5908a921b694eb6a2cf52353
Opcode Fuzzy Hash: 9ba99a05370e05e61fb7ea3afc48015f114f70a85f476aa6dc6d5b5059ef88c0
Instruction Fuzzy Hash: 8B715E72A0020AEBDF259FA8DC45FBEBBB8BF04340F154165FA19E6192D7319916CB60

Function 0041C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0041C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0042CC08,00000000,?,00000000,?,?), ref: 0041C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0041C5A4
_wcslen.LIBCMT ref: 0041C5F4
_wcslen.LIBCMT ref: 0041C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0041C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0041C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0041C84D
RegCloseKey.ADVAPI32(?), ref: 0041C881
RegCloseKey.ADVAPI32(00000000), ref: 0041C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0041C960

Strings

REG_BINARY, xrefs: 0041C913
REG_MULTI_SZ, xrefs: 0041C6F5
REG_SZ, xrefs: 0041C644
REG_DWORD, xrefs: 0041C804
REG_QWORD, xrefs: 0041C8C3
REG_EXPAND_SZ, xrefs: 0041C5CD

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: e807a5c05e21140ca81f3a87dd00ab808be2f0a4f5204591e134de0562069c2b
Instruction ID: eb6d7e114617102a1a70b431e01fd061dae117aa90bfe9f525a709bee6472e24
Opcode Fuzzy Hash: e807a5c05e21140ca81f3a87dd00ab808be2f0a4f5204591e134de0562069c2b
Instruction Fuzzy Hash: DD1279356082019FDB15EF24C881B6AB7E5FF88714F15885DF88A9B3A2DB35EC41CB85

Function 0042091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 004209C6
_wcslen.LIBCMT ref: 00420A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00420A54
_wcslen.LIBCMT ref: 00420A8A
_wcslen.LIBCMT ref: 00420B06
_wcslen.LIBCMT ref: 00420B81

Part of subcall function 003AF9F2: _wcslen.LIBCMT ref: 003AF9FD

Part of subcall function 003F2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 003F2BFA

Strings

GETITEMCOUNT, xrefs: 00420C1E
COLLAPSE, xrefs: 00420B01, 00420B1C
GETTEXT, xrefs: 00420C97
EXISTS, xrefs: 00420B7C, 00420B97
CHECK, xrefs: 00420A85, 00420AA0
EXPAND, xrefs: 00420BF8
ISCHECKED, xrefs: 00420CE1
GETSELECTED, xrefs: 00420C4E
GETTOTALCOUNT, xrefs: 004209F2, 00420A17
UNCHECK, xrefs: 00420D3E
SELECT, xrefs: 00420D11

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 0771749d33f626cf61a9399c7f64894fe40cc2125f042fb322f38bca90f23fe9
Instruction ID: 815d8f41aad19a08cfff7b049abf685bf11be0e1bd889b1b29b80d7300e5bc91
Opcode Fuzzy Hash: 0771749d33f626cf61a9399c7f64894fe40cc2125f042fb322f38bca90f23fe9
Instruction Fuzzy Hash: 49E1AC312083118FCB15DF24D45092BB7E1BF99314B90895EF8969B3A3D738ED4ACB86

Function 0041C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0041B6AE,?,?), ref: 0041C9B5
_wcslen.LIBCMT ref: 0041C9F1
_wcslen.LIBCMT ref: 0041CA68
_wcslen.LIBCMT ref: 0041CA9E
_wcslen.LIBCMT ref: 0041CAF9
_wcslen.LIBCMT ref: 0041CB2F
_wcslen.LIBCMT ref: 0041CB7F

Strings

HKEY_USERS, xrefs: 0041CBDF
HKCR, xrefs: 0041CB29, 0041CB2E
HKEY_CLASSES_ROOT, xrefs: 0041CAF3, 0041CAF8
HKLM, xrefs: 0041CA98, 0041CA9D
HKCC, xrefs: 0041CBAC
HKCU, xrefs: 0041CBCE
HKEY_LOCAL_MACHINE, xrefs: 0041CA62, 0041CA67
HKEY_CURRENT_CONFIG, xrefs: 0041CB79, 0041CB7E
HKU, xrefs: 0041CBF0
HKEY_CURRENT_USER, xrefs: 0041CBBD

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 67a4ccebc631cef5ca11e3a8aac4082b8e1d7296283ceb2bc1754c94a0a58f81
Instruction ID: 0378aa8118652f2e3f69cfab13b2b9440f0b95cac184a3451d822faa011e472e
Opcode Fuzzy Hash: 67a4ccebc631cef5ca11e3a8aac4082b8e1d7296283ceb2bc1754c94a0a58f81
Instruction Fuzzy Hash: F871043268412A8BCB21DE68EC816FF3391AF61794B10412AFC56DB385E739DDC5C398

Function 0042833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0042835A
_wcslen.LIBCMT ref: 0042836E
_wcslen.LIBCMT ref: 00428391
_wcslen.LIBCMT ref: 004283B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 004283F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00425BF2), ref: 0042844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00428487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 004284CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00428501
FreeLibrary.KERNEL32(?), ref: 0042850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0042851D
DestroyIcon.USER32(?,?,?,?,?,00425BF2), ref: 0042852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00428549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00428555

Strings

.icl, xrefs: 00428368
.exe, xrefs: 00428388
.dll, xrefs: 004283AB

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: fb83d4c6fa157c4b40f8d12602b302c7bb89659a075d4648af9b374450948f8f
Instruction ID: 5e30a0daa4139f5aff2550ed44ed9d65967b68ddb5cbb6296da86aa81a0510ed
Opcode Fuzzy Hash: fb83d4c6fa157c4b40f8d12602b302c7bb89659a075d4648af9b374450948f8f
Instruction Fuzzy Hash: 5661F071600225BBEB24DF64DC81BBF77A8BF08711F50411AF915DA1D1EF78A990C7A8

Function 00397778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#include-once, xrefs: 0039782F
#notrayicon, xrefs: 003977E7
#ce, xrefs: 003978ED
#OnAutoItStartRegister, xrefs: 00397817
", xrefs: 003D5153
Cannot parse #include, xrefs: 003D5279
#pragma compile, xrefs: 003977D3
#requireadmin, xrefs: 003977FF
#comments-start, xrefs: 0039785F, 003978B1
Unterminated group of comments, xrefs: 003D528C
Bad directive syntax error, xrefs: 003D519A
', xrefs: 003D5169
#include, xrefs: 00397847
#comments-end, xrefs: 003978D9
#cs, xrefs: 00397873, 003978C5

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 51d3a64bfe7b1374c20254e9d24f78bd26f47993a8bb5cce5d703205b5c4954f
Instruction ID: 3139dabbb0611c9296b6036bbfc0a6a3ad0f96921f9c6436de81b930b43b2caf
Opcode Fuzzy Hash: 51d3a64bfe7b1374c20254e9d24f78bd26f47993a8bb5cce5d703205b5c4954f
Instruction Fuzzy Hash: 5081F271654205BBDF23AFA0EC43FBE37A9AF15300F014026F904AE2D2EB71DA15C6A5

Function 00403E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00403EF8
_wcslen.LIBCMT ref: 00403F03
_wcslen.LIBCMT ref: 00403F5A
_wcslen.LIBCMT ref: 00403F98
GetDriveTypeW.KERNEL32(?), ref: 00403FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0040401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00404059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00404087

Strings

close, xrefs: 00403EFE, 00403F18
close cd wait, xrefs: 00404072
open, xrefs: 00403F54, 00403F59
type cdaudio alias cd wait, xrefs: 00404001
open , xrefs: 00403FE5
wait, xrefs: 00404044
closed, xrefs: 00403F08, 00403F2D, 00403F46, 00403F7E, 00403F97
set cd door , xrefs: 00404028

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 108fb29adbd66adb0ef329e71b0301d036ec26426ad01aea9f47b989b15900af
Instruction ID: f26bfe97fc2866bc4b1be30df6a095d6a8cdb905e28e8c3af231687768ea99c8
Opcode Fuzzy Hash: 108fb29adbd66adb0ef329e71b0301d036ec26426ad01aea9f47b989b15900af
Instruction Fuzzy Hash: 787122726042029FC710EF24C88096FB7F4EF94758F50492EF996A7291EB34ED49CB85

Function 003F5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 003F5A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 003F5A40
SetWindowTextW.USER32(?,?), ref: 003F5A57
GetDlgItem.USER32(?,000003EA), ref: 003F5A6C
SetWindowTextW.USER32(00000000,?), ref: 003F5A72
GetDlgItem.USER32(?,000003E9), ref: 003F5A82
SetWindowTextW.USER32(00000000,?), ref: 003F5A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 003F5AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 003F5AC3
GetWindowRect.USER32(?,?), ref: 003F5ACC
_wcslen.LIBCMT ref: 003F5B33
SetWindowTextW.USER32(?,?), ref: 003F5B6F
GetDesktopWindow.USER32 ref: 003F5B75
GetWindowRect.USER32(00000000), ref: 003F5B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 003F5BD3
GetClientRect.USER32(?,?), ref: 003F5BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 003F5C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 003F5C2F

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 8dbca7b863c3458e4b62ae41c9bae59e8d53b1466ba9c169bc248b3ec681ffab
Instruction ID: 58536d0c694e9ff35647c934584c2a5eaee9578c7df761e48ec8d3d96cbe9d56
Opcode Fuzzy Hash: 8dbca7b863c3458e4b62ae41c9bae59e8d53b1466ba9c169bc248b3ec681ffab
Instruction Fuzzy Hash: 59717C31A00B09AFDB21DFA8CE85AAEBBF5FF48704F104528E642A65A0D775ED44CB54

Function 0040FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 0040FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 0040FE32
LoadCursorW.USER32(00000000,00007F00), ref: 0040FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 0040FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 0040FE53
LoadCursorW.USER32(00000000,00007F01), ref: 0040FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 0040FE69
LoadCursorW.USER32(00000000,00007F88), ref: 0040FE74
LoadCursorW.USER32(00000000,00007F80), ref: 0040FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 0040FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 0040FE95
LoadCursorW.USER32(00000000,00007F85), ref: 0040FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 0040FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 0040FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 0040FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 0040FECC
GetCursorInfo.USER32(?), ref: 0040FEDC
GetLastError.KERNEL32 ref: 0040FF1E

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 726dc5f40483911cff23bcbeafeabf91caed7047c6c55a4dd9ae275d4913fe0a
Instruction ID: 526f7e68e8dde5d1cc018d093b10f8b1a9bf4788f287533b67c8c3375d5250c6
Opcode Fuzzy Hash: 726dc5f40483911cff23bcbeafeabf91caed7047c6c55a4dd9ae275d4913fe0a
Instruction Fuzzy Hash: 084154B0D0431A6ADB20DFBA8C8585EBFE8FF04754B50453AE11DEB681DB78A901CF95

Function 003F30F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 003F318D
_wcslen.LIBCMT ref: 003F31F8

Strings

REGEXPCLASS, xrefs: 003F3255, 003F3266
TEXT, xrefs: 003F347C
CLASS, xrefs: 003F3188, 003F31A5
CLASSNN, xrefs: 003F31F3, 003F3204
NAME, xrefs: 003F3335, 003F3346
INSTANCE, xrefs: 003F3453
[E, xrefs: 003F339A

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[E
API String ID: 176396367-3867730529
Opcode ID: 39b35f96768ae67c9af8b9fe81992ac8744e13da99fbb5621bb4a300488cdebc
Instruction ID: b47ae6f0d0a06f695cd16769614ff48141df13e3e4876de0cb4e645f268d4e77
Opcode Fuzzy Hash: 39b35f96768ae67c9af8b9fe81992ac8744e13da99fbb5621bb4a300488cdebc
Instruction Fuzzy Hash: 37E1E732A0051AABCB16DFB8C4517FEBBB4BF44710F55811AEA56F7241DB30AE898790

Function 003B00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 003B00C6

Part of subcall function 003B00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0046070C,00000FA0,7B63C171,?,?,?,?,003D23B3,000000FF), ref: 003B011C
Part of subcall function 003B00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,003D23B3,000000FF), ref: 003B0127
Part of subcall function 003B00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,003D23B3,000000FF), ref: 003B0138
Part of subcall function 003B00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 003B014E
Part of subcall function 003B00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 003B015C
Part of subcall function 003B00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 003B016A
Part of subcall function 003B00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 003B0195
Part of subcall function 003B00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 003B01A0

___scrt_fastfail.LIBCMT ref: 003B00E7

Part of subcall function 003B00A3: __onexit.LIBCMT ref: 003B00A9

Strings

kernel32.dll, xrefs: 003B0133
WakeAllConditionVariable, xrefs: 003B0162
SleepConditionVariableCS, xrefs: 003B0154
InitializeConditionVariable, xrefs: 003B0148
api-ms-win-core-synch-l1-2-0.dll, xrefs: 003B0122

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 9c0ea94f871a1c743934cc139a6e903e35542b26c0e6404f1e4688669134db50
Instruction ID: 7af3f299fc7d35506701e42b3daf127a28ae7c11bc9e8c007858796b060409ca
Opcode Fuzzy Hash: 9c0ea94f871a1c743934cc139a6e903e35542b26c0e6404f1e4688669134db50
Instruction Fuzzy Hash: C7213E327407106FD72A6BA4BC46FAF73A4DB05F55F510536F902E7691DB749C008A9C

Function 004044C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0042CC08), ref: 00404527
_wcslen.LIBCMT ref: 0040453B
_wcslen.LIBCMT ref: 00404599
_wcslen.LIBCMT ref: 004045F4
_wcslen.LIBCMT ref: 0040463F
_wcslen.LIBCMT ref: 004046A7

Part of subcall function 003AF9F2: _wcslen.LIBCMT ref: 003AF9FD

GetDriveTypeW.KERNEL32(?,00456BF0,00000061), ref: 00404743

Strings

network, xrefs: 0040469D, 004046A2
ramdisk, xrefs: 004046F1
unknown, xrefs: 00404708
cdrom, xrefs: 0040458F, 00404594
all, xrefs: 00404531, 00404536
removable, xrefs: 004045EA, 004045EF
fixed, xrefs: 00404635, 0040463A

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 5180e2d1745e5439fced016c6265654a3f3fa41e96b40eebceafd9cef90cce70
Instruction ID: e2cc6356fe57a6dbb30a823c1e69c9ce94828e959200d39cd45ce43ccb83f3bb
Opcode Fuzzy Hash: 5180e2d1745e5439fced016c6265654a3f3fa41e96b40eebceafd9cef90cce70
Instruction Fuzzy Hash: 60B1E0B16083029FC710DF28C890A6BB7E5AFE5720F50492EF696A72D1E738D845CB56

Function 0042911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 003A9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 003A9BB2

DragQueryPoint.SHELL32(?,?), ref: 00429147

Part of subcall function 00427674: ClientToScreen.USER32(?,?), ref: 0042769A
Part of subcall function 00427674: GetWindowRect.USER32(?,?), ref: 00427710
Part of subcall function 00427674: PtInRect.USER32(?,?,00428B89), ref: 00427720

SendMessageW.USER32(?,000000B0,?,?), ref: 004291B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 004291BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 004291DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00429225
SendMessageW.USER32(?,000000B0,?,?), ref: 0042923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00429255
SendMessageW.USER32(?,000000B1,?,?), ref: 00429277
DragFinish.SHELL32(?), ref: 0042927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00429371

Strings

@GUI_DRAGFILE, xrefs: 00429320
@GUI_DRAGID, xrefs: 004292E9
p#F, xrefs: 004292BB
@GUI_DROPID, xrefs: 0042929E

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#F
API String ID: 221274066-4025927928
Opcode ID: d8c4d874cc6813247868b42c8610384178cc278a153dd5929b558a1058989615
Instruction ID: dc0f0e1c70a9dd50215407cd6b7d8fca7ff9d8e2cb80a018aaf404546ac1d007
Opcode Fuzzy Hash: d8c4d874cc6813247868b42c8610384178cc278a153dd5929b558a1058989615
Instruction Fuzzy Hash: E7617E71208301AFD701EF54DC85EAFBBE8EF88750F40092EF595971A1DB709A49CB6A

Function 0039326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00461990), ref: 003D2F8D
GetMenuItemCount.USER32(00461990), ref: 003D303D
GetCursorPos.USER32(?), ref: 003D3081
SetForegroundWindow.USER32(00000000), ref: 003D308A
TrackPopupMenuEx.USER32(00461990,00000000,?,00000000,00000000,00000000), ref: 003D309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 003D30A9

Strings

0, xrefs: 0039327D

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 5545d61f74a9f8f846e0773b19ca6069049569a47d276138c0de7dd4643e0a1a
Instruction ID: c3f8e9912759c0290f737721dec6bb4c2188d23d4cdfbc891f05e4784f8fcb08
Opcode Fuzzy Hash: 5545d61f74a9f8f846e0773b19ca6069049569a47d276138c0de7dd4643e0a1a
Instruction Fuzzy Hash: 09710872644215BEEB228F24DC89FABBF68FF05364F204217F5156A2E0C7B1AD50D791

Function 00426CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00426DEB

Part of subcall function 00396B57: _wcslen.LIBCMT ref: 00396B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00426E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00426E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00426E94
DestroyWindow.USER32(?), ref: 00426EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00390000,00000000), ref: 00426EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00426EFD
GetDesktopWindow.USER32 ref: 00426F16
GetWindowRect.USER32(00000000), ref: 00426F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00426F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00426F4D

Part of subcall function 003A9944: GetWindowLongW.USER32(?,000000EB), ref: 003A9952

Strings

0, xrefs: 00426D98
tooltips_class32, xrefs: 00426E58, 00426EDD

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: f343fecc357bbc9f7af5e0078c03ce8e434e7f055c27c73385cea44847a11933
Instruction ID: 2ac32d3653ebec77ca80ac3012082cc0c7fc2809c56e41b4ccf23f657dc8eeba
Opcode Fuzzy Hash: f343fecc357bbc9f7af5e0078c03ce8e434e7f055c27c73385cea44847a11933
Instruction Fuzzy Hash: BC716E74204244AFDB21CF18EC44F6B7BE9FB89344F95042EF58997261D774A906CF1A

Function 0040C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0040C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0040C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0040C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0040C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0040C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0040C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0040C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0040C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0040C5F0
InternetCloseHandle.WININET(00000000), ref: 0040C5FB

Strings

, xrefs: 0040C575

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: b20021ff92e2686fbf85d91814ebac240d0926f832faec79cd0f67d152ad1404
Instruction ID: 06db17e095ae37e4b876fcb49a74027297d17e05f993aab745e0dd16aa4792bb
Opcode Fuzzy Hash: b20021ff92e2686fbf85d91814ebac240d0926f832faec79cd0f67d152ad1404
Instruction Fuzzy Hash: CE515FB4600605FFDB218F61CDC8AAB7BBCFF44754F00452AF945E6290DB38E9459BA8

Function 0042856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00428592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004285A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004285AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004285BA
GlobalLock.KERNEL32(00000000), ref: 004285C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004285D7
GlobalUnlock.KERNEL32(00000000), ref: 004285E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004285E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004285F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0042FC38,?), ref: 00428611
GlobalFree.KERNEL32(00000000), ref: 00428621
GetObjectW.GDI32(?,00000018,?), ref: 00428641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00428671
DeleteObject.GDI32(?), ref: 00428699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 004286AF

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: cb0a25ca946d5f247cbc3828c44479084796c7aed0ea2075089c7c3f9d75fc1d
Instruction ID: a708b3fe22582389592755d17433e378abbbd087ad690f335e8fd96cdbd9af42
Opcode Fuzzy Hash: cb0a25ca946d5f247cbc3828c44479084796c7aed0ea2075089c7c3f9d75fc1d
Instruction Fuzzy Hash: 62413B71701214EFDB219FA5DC88EAF7BB8EF89711F504069F905E7250DB34A902CB68

Function 004014BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00401502
VariantCopy.OLEAUT32(?,?), ref: 0040150B
VariantClear.OLEAUT32(?), ref: 00401517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 004015FB
VarR8FromDec.OLEAUT32(?,?), ref: 00401657
VariantInit.OLEAUT32(?), ref: 00401708
SysFreeString.OLEAUT32(?), ref: 0040178C
VariantClear.OLEAUT32(?), ref: 004017D8
VariantClear.OLEAUT32(?), ref: 004017E7
VariantInit.OLEAUT32(00000000), ref: 00401823

Strings

Default, xrefs: 004016AF
%4d%02d%02d%02d%02d%02d, xrefs: 00401625

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 6cdb0f763462562111f203717a901ee5f900fb9e8d76522ca1c70e33b1c3a5fb
Instruction ID: 05aca32156b6d734bccb1e54c309d2912acdf8895dd626333b4c437114c06f4c
Opcode Fuzzy Hash: 6cdb0f763462562111f203717a901ee5f900fb9e8d76522ca1c70e33b1c3a5fb
Instruction Fuzzy Hash: E4D1EF32A00505EBDB11AF65D885B7EB7B5BF45700F50806BE406AF2E0DB38DC46DB6A

Function 0041B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00399CB3: _wcslen.LIBCMT ref: 00399CBD

Part of subcall function 0041C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0041B6AE,?,?), ref: 0041C9B5
Part of subcall function 0041C998: _wcslen.LIBCMT ref: 0041C9F1
Part of subcall function 0041C998: _wcslen.LIBCMT ref: 0041CA68
Part of subcall function 0041C998: _wcslen.LIBCMT ref: 0041CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0041B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0041B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0041B80A
RegCloseKey.ADVAPI32(?), ref: 0041B87E
RegCloseKey.ADVAPI32(?), ref: 0041B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0041B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0041B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0041B922
FreeLibrary.KERNEL32(00000000), ref: 0041B983
RegCloseKey.ADVAPI32(00000000), ref: 0041B994

Strings

RegDeleteKeyExW, xrefs: 0041B8FE
advapi32.dll, xrefs: 0041B8ED

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: d6018ed576da4db14cff9d5e010020e5dfbcf49532bc1e4b843722fad564907f
Instruction ID: 7a5bb9f3fdcfe1bb05a52ffa08d3a4ac2bb0650c048303d164bbf356058da451
Opcode Fuzzy Hash: d6018ed576da4db14cff9d5e010020e5dfbcf49532bc1e4b843722fad564907f
Instruction Fuzzy Hash: 20C18C34208201AFD711DF14C495F6ABBE5FF84308F54859DE4AA4B3A2CB75E886CBD6

Function 0041255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 004125D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 004125E8
CreateCompatibleDC.GDI32(?), ref: 004125F4
SelectObject.GDI32(00000000,?), ref: 00412601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0041266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 004126AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 004126D0
SelectObject.GDI32(?,?), ref: 004126D8
DeleteObject.GDI32(?), ref: 004126E1
DeleteDC.GDI32(?), ref: 004126E8
ReleaseDC.USER32(00000000,?), ref: 004126F3

Strings

(, xrefs: 0041268D

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 5cc1717751dc5d8c2b7412a41db28121a24e80479f562112ce6b4708dcbdfa43
Instruction ID: 0fa097d1e61107bcd412630cd60ae845d5eeaef127db590f5a76536f2b4be73c
Opcode Fuzzy Hash: 5cc1717751dc5d8c2b7412a41db28121a24e80479f562112ce6b4708dcbdfa43
Instruction Fuzzy Hash: 73611275E00219EFCF14CFA4C984AAEBBB6FF48300F20842AE955A7250D774A951CF94

Function 003CDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 003CDAA1

Part of subcall function 003CD63C: _free.LIBCMT ref: 003CD659
Part of subcall function 003CD63C: _free.LIBCMT ref: 003CD66B
Part of subcall function 003CD63C: _free.LIBCMT ref: 003CD67D
Part of subcall function 003CD63C: _free.LIBCMT ref: 003CD68F
Part of subcall function 003CD63C: _free.LIBCMT ref: 003CD6A1
Part of subcall function 003CD63C: _free.LIBCMT ref: 003CD6B3
Part of subcall function 003CD63C: _free.LIBCMT ref: 003CD6C5
Part of subcall function 003CD63C: _free.LIBCMT ref: 003CD6D7
Part of subcall function 003CD63C: _free.LIBCMT ref: 003CD6E9
Part of subcall function 003CD63C: _free.LIBCMT ref: 003CD6FB
Part of subcall function 003CD63C: _free.LIBCMT ref: 003CD70D
Part of subcall function 003CD63C: _free.LIBCMT ref: 003CD71F
Part of subcall function 003CD63C: _free.LIBCMT ref: 003CD731

_free.LIBCMT ref: 003CDA96

Part of subcall function 003C29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,003CD7D1,00000000,00000000,00000000,00000000,?,003CD7F8,00000000,00000007,00000000,?,003CDBF5,00000000), ref: 003C29DE
Part of subcall function 003C29C8: GetLastError.KERNEL32(00000000,?,003CD7D1,00000000,00000000,00000000,00000000,?,003CD7F8,00000000,00000007,00000000,?,003CDBF5,00000000,00000000), ref: 003C29F0

_free.LIBCMT ref: 003CDAB8
_free.LIBCMT ref: 003CDACD
_free.LIBCMT ref: 003CDAD8
_free.LIBCMT ref: 003CDAFA
_free.LIBCMT ref: 003CDB0D
_free.LIBCMT ref: 003CDB1B
_free.LIBCMT ref: 003CDB26
_free.LIBCMT ref: 003CDB5E
_free.LIBCMT ref: 003CDB65
_free.LIBCMT ref: 003CDB82
_free.LIBCMT ref: 003CDB9A

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 9d1a78e3153c443d1b76ea38f0fe2c57c400019a20699f1fa73609611210b921
Instruction ID: b48bbce0397f35f1e2e7bd3a3b88bfa78dad60fc4d80c1b8300cbea3fcdb47b0
Opcode Fuzzy Hash: 9d1a78e3153c443d1b76ea38f0fe2c57c400019a20699f1fa73609611210b921
Instruction Fuzzy Hash: F73115326046059FEB23AA39E845F5BB7E9FF01311F16442DF449DB192DB31AC908B24

Function 003F365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 003F369C
_wcslen.LIBCMT ref: 003F36A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 003F3797
GetClassNameW.USER32(?,?,00000400), ref: 003F380C
GetDlgCtrlID.USER32(?), ref: 003F385D
GetWindowRect.USER32(?,?), ref: 003F3882
GetParent.USER32(?), ref: 003F38A0
ScreenToClient.USER32(00000000), ref: 003F38A7
GetClassNameW.USER32(?,?,00000100), ref: 003F3921
GetWindowTextW.USER32(?,?,00000400), ref: 003F395D

Strings

%s%u, xrefs: 003F3734

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: f7af994810bc366a1b5226c82649fe7d392a1b904c8662695ec41de407ed175a
Instruction ID: 2ea020bdff9f95af50ea234fd9433bc47b14cfb12ef64732dd8478ed14eda2b5
Opcode Fuzzy Hash: f7af994810bc366a1b5226c82649fe7d392a1b904c8662695ec41de407ed175a
Instruction Fuzzy Hash: FE91C67120460AAFD71ADF24C885FFAF7A8FF44350F004529FA99D6150DB74EA49CB91

Function 003F4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 003F4994
GetWindowTextW.USER32(?,?,00000400), ref: 003F49DA
_wcslen.LIBCMT ref: 003F49EB
CharUpperBuffW.USER32(?,00000000), ref: 003F49F7
_wcsstr.LIBVCRUNTIME ref: 003F4A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 003F4A64
GetWindowTextW.USER32(?,?,00000400), ref: 003F4A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 003F4AE6
GetClassNameW.USER32(?,?,00000400), ref: 003F4B20
GetWindowRect.USER32(?,?), ref: 003F4B8B

Strings

ThumbnailClass, xrefs: 003F4A6F, 003F4AF1

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: fcfeb4e025125b58f8a97dc7102761351bc0e381dd9d3b44634161987cb221e7
Instruction ID: dc0053451716938029aaad9568017f9e97b8f057d753d9115f0ac4a21c36d9c3
Opcode Fuzzy Hash: fcfeb4e025125b58f8a97dc7102761351bc0e381dd9d3b44634161987cb221e7
Instruction Fuzzy Hash: 2291B0311082099FDB16CF14C985BBB77E8FF44314F05846AFE859A196EB34ED45CBA1

Function 00428D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003A9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 003A9BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00428D5A
GetFocus.USER32 ref: 00428D6A
GetDlgCtrlID.USER32(00000000), ref: 00428D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00428E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00428ECF
GetMenuItemCount.USER32(?), ref: 00428EEC
GetMenuItemID.USER32(?,00000000), ref: 00428EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00428F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00428F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00428FA1

Strings

0, xrefs: 00428E9F

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 611af623e081e8339f27167790872ecb5214e6da9f49a82482bd75ed0c0cdea5
Instruction ID: 5eb68b8fb448a1cefd477291778ca2e34dede4a140bd81d1e77eb2759a6bd7aa
Opcode Fuzzy Hash: 611af623e081e8339f27167790872ecb5214e6da9f49a82482bd75ed0c0cdea5
Instruction Fuzzy Hash: DA81CE71605320AFD720CF14E984AAF7BE9FB88314F45052EF984D7291DB74D905CBAA

Function 003FDC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 003FDC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 003FDC46
_wcslen.LIBCMT ref: 003FDC50
_wcsstr.LIBVCRUNTIME ref: 003FDCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 003FDCBC

Strings

04090000, xrefs: 003FDCF2
%u.%u.%u.%u, xrefs: 003FDD9A
StringFileInfo\, xrefs: 003FDC8F
\VarFileInfo\Translation, xrefs: 003FDCB4
DefaultLangCodepage, xrefs: 003FDD1F

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: c51b339e38b44894a5ca635bf607279b8e5809ee01692986b3b8457f4b35bfa4
Instruction ID: 5bf81af57f03f7e654d0c0d16bd1b56520b3bce6dc08d7e37da64c52008534c0
Opcode Fuzzy Hash: c51b339e38b44894a5ca635bf607279b8e5809ee01692986b3b8457f4b35bfa4
Instruction Fuzzy Hash: 32411932A402157ADB16B774DC47FFF776CEF56710F60016AFB00AA183EB749A0196A8

Function 0041CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0041CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0041CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0041CD48

Part of subcall function 0041CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0041CCAA
Part of subcall function 0041CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0041CCBD
Part of subcall function 0041CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0041CCCF
Part of subcall function 0041CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0041CD05
Part of subcall function 0041CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0041CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0041CCF3

Strings

RegDeleteKeyExW, xrefs: 0041CCC9
advapi32.dll, xrefs: 0041CCB8

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: dea92dc7817183da251e6c983698696a2f02253b615693b87570fb9ce56dd5ba
Instruction ID: a546554db4afba59cedcbffcdaf64cc146225472c2a4990bb41c6cd6f6806d48
Opcode Fuzzy Hash: dea92dc7817183da251e6c983698696a2f02253b615693b87570fb9ce56dd5ba
Instruction Fuzzy Hash: 79316D71A41129BBD7209B91DCC8EFFBB7CEF05740F000166A905E2240DA789E86DAE8

Function 00403D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00403D40
_wcslen.LIBCMT ref: 00403D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00403D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00403DBE
RemoveDirectoryW.KERNEL32(?), ref: 00403DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00403E55
CloseHandle.KERNEL32(00000000), ref: 00403E60
CloseHandle.KERNEL32(00000000), ref: 00403E6B

Strings

:, xrefs: 00403D82
\??\%s, xrefs: 00403D5B
\, xrefs: 00403D77

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: e2ca0da53aeafd56baa2ef34c63f1d4dae85ef519ad7b45e74c7955bd9770fea
Instruction ID: 0d99f140c52bbeadcebfbaca95568aaccbb76a79180378c7851ae0a692ad1f1b
Opcode Fuzzy Hash: e2ca0da53aeafd56baa2ef34c63f1d4dae85ef519ad7b45e74c7955bd9770fea
Instruction Fuzzy Hash: 1331A571A00109ABDB219FA0DC85FEF37BCEF88705F5041B6F505E6190EB7497458B68

Function 003FE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 003FE6B4

Part of subcall function 003AE551: timeGetTime.WINMM(?,?,003FE6D4), ref: 003AE555

Sleep.KERNEL32(0000000A), ref: 003FE6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 003FE705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 003FE727
SetActiveWindow.USER32 ref: 003FE746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 003FE754
SendMessageW.USER32(00000010,00000000,00000000), ref: 003FE773
Sleep.KERNEL32(000000FA), ref: 003FE77E
IsWindow.USER32 ref: 003FE78A
EndDialog.USER32(00000000), ref: 003FE79B

Strings

BUTTON, xrefs: 003FE719

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 59ec80f5ecace2a41627e335a9fc49ce2360b27aca04432894e5059019e40d1f
Instruction ID: b3939beddc0a0a59e6b68e88570edee77df0c0394e4df1a985b8505900f67794
Opcode Fuzzy Hash: 59ec80f5ecace2a41627e335a9fc49ce2360b27aca04432894e5059019e40d1f
Instruction Fuzzy Hash: 69219270300608BFEB126F64EDCDA393B69FB54749B500435FA12925B1EBF29C158B2E

Function 003FE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00399CB3: _wcslen.LIBCMT ref: 00399CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 003FEA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 003FEA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 003FEA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 003FEA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 003FEAA7

Strings

alias PlayMe, xrefs: 003FEA36
open , xrefs: 003FEA0C
close PlayMe, xrefs: 003FEA6E, 003FEA9B
play PlayMe, xrefs: 003FEAA2
status PlayMe mode, xrefs: 003FEA58
play PlayMe wait, xrefs: 003FEA91

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: cbe571b6c8dc38aa09789f940c35bad6760b32f75f69a7d214aec7f3541f8a8b
Instruction ID: 5da7b43f28f36848d52b6dc021281d802ba7d747aa67ff3f90de232ac45972b0
Opcode Fuzzy Hash: cbe571b6c8dc38aa09789f940c35bad6760b32f75f69a7d214aec7f3541f8a8b
Instruction Fuzzy Hash: D411A3B1A9025D79DB21A7A1DC4AEFF6A7CEBD1F00F51042ABC01A70E1EE700909C9B0

Function 003F5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 003F5CE2
GetWindowRect.USER32(00000000,?), ref: 003F5CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 003F5D59
GetDlgItem.USER32(?,00000002), ref: 003F5D69
GetWindowRect.USER32(00000000,?), ref: 003F5D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 003F5DCF
GetDlgItem.USER32(?,000003E9), ref: 003F5DDD
GetWindowRect.USER32(00000000,?), ref: 003F5DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 003F5E31
GetDlgItem.USER32(?,000003EA), ref: 003F5E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 003F5E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 003F5E67

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 5c4e9275ca54dadfffdfcf736832ea2098a604114eda043f7c2a0e5b007c3fa6
Instruction ID: 3dfe7fc1b8a9b6c2b4a614f11851f34f2ddfe61a621b5bc7278534267c555463
Opcode Fuzzy Hash: 5c4e9275ca54dadfffdfcf736832ea2098a604114eda043f7c2a0e5b007c3fa6
Instruction Fuzzy Hash: 29512E71B00609AFDB18CFA8CD89AAEBBB9FB48300F508129F615E6290D7709E05CB50

Function 003A8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 003A8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,003A8BE8,?,00000000,?,?,?,?,003A8BBA,00000000,?), ref: 003A8FC5

DestroyWindow.USER32(?), ref: 003A8C81
KillTimer.USER32(00000000,?,?,?,?,003A8BBA,00000000,?), ref: 003A8D1B
DestroyAcceleratorTable.USER32(00000000), ref: 003E6973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,003A8BBA,00000000,?), ref: 003E69A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,003A8BBA,00000000,?), ref: 003E69B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,003A8BBA,00000000), ref: 003E69D4
DeleteObject.GDI32(00000000), ref: 003E69E6

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 3cd54e2682b6036008217856ad60a9ef294a6232394d76605685ff25ab9465be
Instruction ID: d590ebae6437ac48cc3944bb9ed7163420626318915b10fa9b03ba450b825d16
Opcode Fuzzy Hash: 3cd54e2682b6036008217856ad60a9ef294a6232394d76605685ff25ab9465be
Instruction Fuzzy Hash: 0A61C970502650DFCB369F15C989B29B7F1FF52322F194628E0429B9B0CB71AC91CF99

Function 003A9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 003A9944: GetWindowLongW.USER32(?,000000EB), ref: 003A9952

GetSysColor.USER32(0000000F), ref: 003A9862

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: c3750b4df0fc4c95d6a3f35ef797fb02f569fdd138368c9d44d45c081a90c9c4
Instruction ID: 394778a7c2a811ef159ffc210a4481fa115dfb1d59d93319d87902ee37ce3599
Opcode Fuzzy Hash: c3750b4df0fc4c95d6a3f35ef797fb02f569fdd138368c9d44d45c081a90c9c4
Instruction Fuzzy Hash: EA41F531200650AFDB325F389C88BB93BA9EB07330F55461AF9B2AB1E1C7359C42DB10

Function 003C8D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

.;, xrefs: 003C903A, 003C8FD0, 003C8FF2

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID:
String ID: .;
API String ID: 0-414037994
Opcode ID: bf303a2b5b9081b1055dc38b4819fdd1832cebd703346395345f7023893f3777
Instruction ID: f3bfa397f3e4646c4ed4bb920fc9a2e78219c20670ddb47dbd02523b6fc79d3b
Opcode Fuzzy Hash: bf303a2b5b9081b1055dc38b4819fdd1832cebd703346395345f7023893f3777
Instruction Fuzzy Hash: EEC1D174A04259AFCB12DFA8DC45FEDBBB4AF09310F06409EE915EB292C7709E41CB61

Function 003F96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,003DF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 003F9717
LoadStringW.USER32(00000000,?,003DF7F8,00000001), ref: 003F9720

Part of subcall function 00399CB3: _wcslen.LIBCMT ref: 00399CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,003DF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 003F9742
LoadStringW.USER32(00000000,?,003DF7F8,00000001), ref: 003F9745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 003F9866

Strings

%s (%d) : ==> %s: %s %s, xrefs: 003F984A
Line %d (File "%s"):, xrefs: 003F978F
Line %d:, xrefs: 003F97A0
Error: , xrefs: 003F981D
^ ERROR, xrefs: 003F97FB

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: bf42b64cf757e1c27a230a26996a819ce20c5371db2966f64e307e74ecc21be6
Instruction ID: 32dfc1b6fe9c9bef3ba9999e8ed6d0ccd490c29efe7d06d69ae89eb728e7ec51
Opcode Fuzzy Hash: bf42b64cf757e1c27a230a26996a819ce20c5371db2966f64e307e74ecc21be6
Instruction Fuzzy Hash: 78413D72900219AACF06EBE0DD86FFE7378AF15340F50016AF6057A092EB756F48CB61

Function 003F06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00396B57: _wcslen.LIBCMT ref: 00396B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 003F07A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 003F07BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 003F07DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 003F0804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 003F082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 003F0837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 003F083C

Strings

\CLSID, xrefs: 003F0724
SOFTWARE\Classes\, xrefs: 003F070E
\IPC$, xrefs: 003F0784

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 2380d8e5bceba61f835b9bdcbe4120d9473d4367d58fc42dc0f582c61abf4d5b
Instruction ID: 5a6909a88f5b4c7333a926941421161617b4a5409c1f3505263c146d0ffe430d
Opcode Fuzzy Hash: 2380d8e5bceba61f835b9bdcbe4120d9473d4367d58fc42dc0f582c61abf4d5b
Instruction Fuzzy Hash: 034118B2D1022DABCF26EFA4DC95DFDB778BF04350B554169E905A7161EB309E04CB90

Function 00413C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00413C5C
CoInitialize.OLE32(00000000), ref: 00413C8A
CoUninitialize.OLE32 ref: 00413C94
_wcslen.LIBCMT ref: 00413D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00413DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00413ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00413F0E
CoGetObject.OLE32(?,00000000,0042FB98,?), ref: 00413F2D
SetErrorMode.KERNEL32(00000000), ref: 00413F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00413FC4
VariantClear.OLEAUT32(?), ref: 00413FD8

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 1ddba54d391476bc8c1466c2cbec13de1902b80399a2786f4a0a31591b259e28
Instruction ID: b168897719e1c9e50e35d61353eba94633c7a494c9ff0f2aef047f0c05c72132
Opcode Fuzzy Hash: 1ddba54d391476bc8c1466c2cbec13de1902b80399a2786f4a0a31591b259e28
Instruction Fuzzy Hash: 43C177716083019FD700DF28C88496BBBE9FF89749F00496EF98A9B250D734EE46CB56

Function 00407A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00407AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00407B8F
SHGetDesktopFolder.SHELL32(?), ref: 00407BA3
CoCreateInstance.OLE32(0042FD08,00000000,00000001,00456E6C,?), ref: 00407BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00407C74
CoTaskMemFree.OLE32(?,?), ref: 00407CCC
SHBrowseForFolderW.SHELL32(?), ref: 00407D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00407D7A
CoTaskMemFree.OLE32(00000000), ref: 00407D81
CoTaskMemFree.OLE32(00000000), ref: 00407DD6
CoUninitialize.OLE32 ref: 00407DDC

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: fc793eea34fb47bbfb11fcc13fac1442b1f029f7ea1fb5c5cb402936b75df88f
Instruction ID: 315307ba5e7a5323441a76f1e8184a1f6ccf54325f6f6813edde2606b1d3929a
Opcode Fuzzy Hash: fc793eea34fb47bbfb11fcc13fac1442b1f029f7ea1fb5c5cb402936b75df88f
Instruction Fuzzy Hash: 80C12C75A04109AFCB14DF64C884DAEBBF9FF48304B1484A9E91AEB361D734EE45CB94

Function 0042541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00425504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00425515
CharNextW.USER32(00000158), ref: 00425544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00425585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0042559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004255AC

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 05aa4a04130242f89678cefe724782b75866119d2923c7f60c2c480c9b079357
Instruction ID: 0a787a699b8d73c4f85338ca9b737509e1a5f99228b66c66fc784fc0c2a0a5dd
Opcode Fuzzy Hash: 05aa4a04130242f89678cefe724782b75866119d2923c7f60c2c480c9b079357
Instruction Fuzzy Hash: AC619070A00628ABDF10DF54EC84AFF7B79EF05720F904156F925A7290D7788A81DB69

Function 003EFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 003EFAAF
SafeArrayAllocData.OLEAUT32(?), ref: 003EFB08
VariantInit.OLEAUT32(?), ref: 003EFB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 003EFB3A
VariantCopy.OLEAUT32(?,?), ref: 003EFB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 003EFBA1
VariantClear.OLEAUT32(?), ref: 003EFBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 003EFBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 003EFBCC
VariantClear.OLEAUT32(?), ref: 003EFBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 003EFBE9

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: f6b060598888aae088206ec2e2c02a64aa1add32a5f37bb6b3e44684fb4c90c5
Instruction ID: d2a2ec43540badc9ab066f103d677b2186fe03698a2f28d554f54422c0825bf8
Opcode Fuzzy Hash: f6b060598888aae088206ec2e2c02a64aa1add32a5f37bb6b3e44684fb4c90c5
Instruction Fuzzy Hash: 73416335A00219DFCF15EF65CC949AEBBB9FF48344F408179E906AB2A1D770A946CF90

Function 003F9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 003F9CA1
GetAsyncKeyState.USER32(000000A0), ref: 003F9D22
GetKeyState.USER32(000000A0), ref: 003F9D3D
GetAsyncKeyState.USER32(000000A1), ref: 003F9D57
GetKeyState.USER32(000000A1), ref: 003F9D6C
GetAsyncKeyState.USER32(00000011), ref: 003F9D84
GetKeyState.USER32(00000011), ref: 003F9D96
GetAsyncKeyState.USER32(00000012), ref: 003F9DAE
GetKeyState.USER32(00000012), ref: 003F9DC0
GetAsyncKeyState.USER32(0000005B), ref: 003F9DD8
GetKeyState.USER32(0000005B), ref: 003F9DEA

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 4a5926e346a018d822ec6ec773c6245b8b5ad0ad18913b0fdcb97730b9851d3f
Instruction ID: 3b2e646d550486324bbdc186913ec46870657268e5706468f52f4feff4b000ee
Opcode Fuzzy Hash: 4a5926e346a018d822ec6ec773c6245b8b5ad0ad18913b0fdcb97730b9851d3f
Instruction Fuzzy Hash: 5541F834604BCD6DFF32976488443B5BEA06F22344F55806BDBC6575C2DBE499C8C7A2

Function 0041055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 004105BC
inet_addr.WSOCK32(?), ref: 0041061C
gethostbyname.WSOCK32(?), ref: 00410628
IcmpCreateFile.IPHLPAPI ref: 00410636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 004106C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 004106E5
IcmpCloseHandle.IPHLPAPI(?), ref: 004107B9
WSACleanup.WSOCK32 ref: 004107BF

Strings

Ping, xrefs: 00410676

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 2673ecc4bc756ad0f65ee775be55dbf60d0a14ede6aa4a0c195c40c4fd39fa85
Instruction ID: 8d301fa21b61286e1f62b04fd63ef70cd7170b9c38aa61969c58b129140184da
Opcode Fuzzy Hash: 2673ecc4bc756ad0f65ee775be55dbf60d0a14ede6aa4a0c195c40c4fd39fa85
Instruction Fuzzy Hash: CE919C35604201AFD721DF15C489F5ABBE1AF44318F1485AAE4698F7A2C7B4ECC2CF85

Function 00418CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00418CF3

Part of subcall function 003F8E54: _wcslen.LIBCMT ref: 003F8E77

_wcslen.LIBCMT ref: 00418D4E
_wcslen.LIBCMT ref: 00418D9C
_wcslen.LIBCMT ref: 00418DDC
_wcslen.LIBCMT ref: 00418E6E

Strings

winapi, xrefs: 00418D96, 00418D9B
cdecl, xrefs: 00418D48, 00418D4D
stdcall, xrefs: 00418DD6, 00418DDB
none, xrefs: 00418E65, 00418E6A

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: e94b7ad9915e831b2934d124cec229516252ef729ca3c3d96df86e423b7fe673
Instruction ID: 9edac69e64f03019f12746b21313de70efdf8185af6ce97eaa268b1129f04e90
Opcode Fuzzy Hash: e94b7ad9915e831b2934d124cec229516252ef729ca3c3d96df86e423b7fe673
Instruction Fuzzy Hash: B7519331A042169BCF14DF68C9405FEB7A5BF65724B20422EE825EB3C5DB38DD81C794

Function 0041372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00413774
CoUninitialize.OLE32 ref: 0041377F
CoCreateInstance.OLE32(?,00000000,00000017,0042FB78,?), ref: 004137D9
IIDFromString.OLE32(?,?), ref: 0041384C
VariantInit.OLEAUT32(?), ref: 004138E4
VariantClear.OLEAUT32(?), ref: 00413936

Strings

Failed to create object, xrefs: 004137E4, 0041389A
NULL Pointer assignment, xrefs: 0041381E
Invalid parameter, xrefs: 00413865

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: b84286a03a8005f2234c5c9228fd1a44fb385b838c2510c2ec12885061a1661d
Instruction ID: 81b20550970825865bab9e8e3d3e3900a2bcf099745c0a9f6357a9956f7157a8
Opcode Fuzzy Hash: b84286a03a8005f2234c5c9228fd1a44fb385b838c2510c2ec12885061a1661d
Instruction Fuzzy Hash: 8861D3702083019FD711EF54C884B9BBBE4EF45712F10485EF9859B291C774EE89CB9A

Function 00428B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003A9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 003A9BB2

Part of subcall function 003A912D: GetCursorPos.USER32(?), ref: 003A9141
Part of subcall function 003A912D: ScreenToClient.USER32(00000000,?), ref: 003A915E
Part of subcall function 003A912D: GetAsyncKeyState.USER32(00000001), ref: 003A9183
Part of subcall function 003A912D: GetAsyncKeyState.USER32(00000002), ref: 003A919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00428B6B
ImageList_EndDrag.COMCTL32 ref: 00428B71
ReleaseCapture.USER32 ref: 00428B77
SetWindowTextW.USER32(?,00000000), ref: 00428C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00428C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00428CFF

Strings

@GUI_DRAGFILE, xrefs: 00428C9A
p#F, xrefs: 00428C71
@GUI_DROPID, xrefs: 00428C51

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$p#F
API String ID: 1924731296-3812149384
Opcode ID: e4fd757f669cbb5ff4805b1b1f5a9d53bfe8e27740427476a3ab1501bf42f729
Instruction ID: 5ebfa36d5f918ecf2d684fc4e9205c2bb0aebb3d8eea98c9f0328aea52419bb1
Opcode Fuzzy Hash: e4fd757f669cbb5ff4805b1b1f5a9d53bfe8e27740427476a3ab1501bf42f729
Instruction Fuzzy Hash: F751AD71205310AFD700EF15DC96FAE77E4FB88714F40062EF9569B2A1DB749904CB6A

Function 00403388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 004033CF

Part of subcall function 00399CB3: _wcslen.LIBCMT ref: 00399CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 004033F0

Strings

Line %d (File "%s"):, xrefs: 00403443, 0040345C
Error: , xrefs: 004034D1
"%s" (%d) : ==> %s:, xrefs: 00403522
Incorrect parameters to object property !, xrefs: 004034AB
"%s" (%d) : ==> %s:%s%s, xrefs: 00403504
^ ERROR , xrefs: 0040349E

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 35787b449e2fd6326bc477a50056ea1cec944f2c521dcb22c3c8275af78fee41
Instruction ID: 50b506af1366ede28003bdae03692aa14f4b3f371f22982184359f879afaff80
Opcode Fuzzy Hash: 35787b449e2fd6326bc477a50056ea1cec944f2c521dcb22c3c8275af78fee41
Instruction Fuzzy Hash: 8951AF71900209BADF16EBE0CD42EEEB778AF04341F204166F905771A2EB752F58CB65

Function 003FB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 003FB5FC
_wcslen.LIBCMT ref: 003FB608
_wcslen.LIBCMT ref: 003FB64D
_wcslen.LIBCMT ref: 003FB68C
_wcslen.LIBCMT ref: 003FB6C7

Strings

EXISTS, xrefs: 003FB686, 003FB68B
KEYS, xrefs: 003FB647, 003FB64C
APPEND, xrefs: 003FB6C1, 003FB6C6
REMOVE, xrefs: 003FB602, 003FB607

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 4a06f03a856b0936c16c582c39a44b36e4791302260256a65efb67edecfbd337
Instruction ID: e8cccbde768601a3e0d41276c7226cc4a29e49ecff79210c56a24b26f35a5aca
Opcode Fuzzy Hash: 4a06f03a856b0936c16c582c39a44b36e4791302260256a65efb67edecfbd337
Instruction Fuzzy Hash: 92410BB2A0002B9BCB116F7DCD905BEF7A5BF60758B264129E621DB284F735CD81C790

Function 00405393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 004053A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00405416
GetLastError.KERNEL32 ref: 00405420
SetErrorMode.KERNEL32(00000000,READY), ref: 004054A7

Strings

UNKNOWN, xrefs: 00405444
READY, xrefs: 00405460, 00405468
INVALID, xrefs: 00405459
READONLY, xrefs: 00405452
NOTREADY, xrefs: 0040544B

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 9bde265d638fd6e70cf0538d85badfb92b30011e045495a651ad405ec5d1ed26
Instruction ID: f8a089d74bfd488e0c481627c49a9beeb15e131a4ee59b6dad81c71e88673a65
Opcode Fuzzy Hash: 9bde265d638fd6e70cf0538d85badfb92b30011e045495a651ad405ec5d1ed26
Instruction Fuzzy Hash: A1318B35A006059FCB11DF68C485BEBBBB4EB05305F54806AE805AF392DB78DD86CF95

Function 00423C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00423C79
SetMenu.USER32(?,00000000), ref: 00423C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00423D10
IsMenu.USER32(?), ref: 00423D24
CreatePopupMenu.USER32 ref: 00423D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00423D5B
DrawMenuBar.USER32 ref: 00423D63

Strings

0, xrefs: 00423C54
F, xrefs: 00423D4E

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 10e4f085978d8ef82603da26066ec6f088acc69a9c52331127d9b73982e84789
Instruction ID: 8a86426c7381eb7e2da019fcd6540b56bc3e3184a4e903aa4b1bfa930bb0c478
Opcode Fuzzy Hash: 10e4f085978d8ef82603da26066ec6f088acc69a9c52331127d9b73982e84789
Instruction Fuzzy Hash: B541AB75B01219EFDB20CF60E884AAA7BB5FF49341F140069F90697360D778EA11CF98

Function 003F1EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00399CB3: _wcslen.LIBCMT ref: 00399CBD

Part of subcall function 003F3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 003F3CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 003F1F64
GetDlgCtrlID.USER32 ref: 003F1F6F
GetParent.USER32 ref: 003F1F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 003F1F8E
GetDlgCtrlID.USER32(?), ref: 003F1F97
GetParent.USER32(?), ref: 003F1FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 003F1FAE

Strings

ComboBox, xrefs: 003F1EEC
ListBox, xrefs: 003F1F21

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: ddeb59c3310bb7715a055d4a9c9c4bd20355705572d1644407e3f3ca018ce0a8
Instruction ID: 49cd4ea6350c55f372bd6243f92d3b19bea583b2620010a0fce36ae77e6b6df6
Opcode Fuzzy Hash: ddeb59c3310bb7715a055d4a9c9c4bd20355705572d1644407e3f3ca018ce0a8
Instruction Fuzzy Hash: 6621D770A00218BBCF16EFA4DC95EFEBBB8EF05310F10025AFA6167291CB345909DB64

Function 00423A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00423A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00423AA0
GetWindowLongW.USER32(?,000000F0), ref: 00423AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00423AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00423B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00423BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00423BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00423BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00423BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00423C13

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: daef09d988a8e91902ada890af8a84cc5994336286089c3df9ea4421d5fbdb0a
Instruction ID: 115c9479ea79af5d082d4095873f9f7fbdb5b5fccd60fa008b0c85539c7cc916
Opcode Fuzzy Hash: daef09d988a8e91902ada890af8a84cc5994336286089c3df9ea4421d5fbdb0a
Instruction Fuzzy Hash: DB618D75A00218AFDB10DF64DC81EEE77B8EB09700F1401AAFA15A73A2D778AE45DF54

Function 003FB12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 003FB151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,003FA1E1,?,00000001), ref: 003FB165
GetWindowThreadProcessId.USER32(00000000), ref: 003FB16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,003FA1E1,?,00000001), ref: 003FB17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 003FB18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,003FA1E1,?,00000001), ref: 003FB1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,003FA1E1,?,00000001), ref: 003FB1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,003FA1E1,?,00000001), ref: 003FB1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,003FA1E1,?,00000001), ref: 003FB212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,003FA1E1,?,00000001), ref: 003FB21D

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 8d4b3ed9538c48ee3cb6f084be4219a705757a24ce8cd2e131cd1efdfe70157f
Instruction ID: e85334d4ffca75d7722319f2f0b6b2425d9a96aa2ba91cc0f0e4182947138969
Opcode Fuzzy Hash: 8d4b3ed9538c48ee3cb6f084be4219a705757a24ce8cd2e131cd1efdfe70157f
Instruction Fuzzy Hash: C931CEB1640208BFDB229F24DC88BBDBBA9FB51316F114424FA00D6190E7B4DA058F69

Function 003C2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 003C2C94

Part of subcall function 003C29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,003CD7D1,00000000,00000000,00000000,00000000,?,003CD7F8,00000000,00000007,00000000,?,003CDBF5,00000000), ref: 003C29DE
Part of subcall function 003C29C8: GetLastError.KERNEL32(00000000,?,003CD7D1,00000000,00000000,00000000,00000000,?,003CD7F8,00000000,00000007,00000000,?,003CDBF5,00000000,00000000), ref: 003C29F0

_free.LIBCMT ref: 003C2CA0
_free.LIBCMT ref: 003C2CAB
_free.LIBCMT ref: 003C2CB6
_free.LIBCMT ref: 003C2CC1
_free.LIBCMT ref: 003C2CCC
_free.LIBCMT ref: 003C2CD7
_free.LIBCMT ref: 003C2CE2
_free.LIBCMT ref: 003C2CED
_free.LIBCMT ref: 003C2CFB

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 26131c4d5a6718de241338e0827f5e773ec422e7c2cc81bdfbdfd91a428b66db
Instruction ID: f1fc466aa037806556e59471cb7cc9d4325355db326be919da07b64c7112934c
Opcode Fuzzy Hash: 26131c4d5a6718de241338e0827f5e773ec422e7c2cc81bdfbdfd91a428b66db
Instruction Fuzzy Hash: C7114776510108AFCB03EF55D942EDE3BA5FF06350F5145A9F9489F222D731EE609B90

Function 00407DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00407FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00407FC1
GetFileAttributesW.KERNEL32(?), ref: 00407FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00408005
SetCurrentDirectoryW.KERNEL32(?), ref: 00408017
SetCurrentDirectoryW.KERNEL32(?), ref: 00408060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 004080B0

Strings

*.*, xrefs: 00408066

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 8f1ba4d664d8033b7ea70ea951b9d5d786e83e8654891f196b8570ae3639ca55
Instruction ID: 4f7c39dc8924f240b4562d4f5c7678cb336c0992f5610bd726bedcfd9eb9ff3a
Opcode Fuzzy Hash: 8f1ba4d664d8033b7ea70ea951b9d5d786e83e8654891f196b8570ae3639ca55
Instruction Fuzzy Hash: 418180729082059BCB20EF14C4449ABB3D8BF89314F54487FF885EB290EB39ED458B97

Function 00395BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00395C7A

Part of subcall function 00395D0A: GetClientRect.USER32(?,?), ref: 00395D30
Part of subcall function 00395D0A: GetWindowRect.USER32(?,?), ref: 00395D71
Part of subcall function 00395D0A: ScreenToClient.USER32(?,?), ref: 00395D99

GetDC.USER32 ref: 003D46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 003D4708
SelectObject.GDI32(00000000,00000000), ref: 003D4716
SelectObject.GDI32(00000000,00000000), ref: 003D472B
ReleaseDC.USER32(?,00000000), ref: 003D4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 003D47C4

Strings

U, xrefs: 003D4693

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: f3ca43e67de64e7549636d90a8ceb6035d92a0db3fc36a2f63bea30183e288ac
Instruction ID: b0210e6acf30315c60602c4d72bf482639a3aa85102266b770cced39bef904c4
Opcode Fuzzy Hash: f3ca43e67de64e7549636d90a8ceb6035d92a0db3fc36a2f63bea30183e288ac
Instruction Fuzzy Hash: 6A71F132500205DFCF238F64D984ABA7BB5FF4A364F19426AED665A2A6D331CC81DF50

Function 0040359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 004035E4

Part of subcall function 00399CB3: _wcslen.LIBCMT ref: 00399CBD

LoadStringW.USER32(00462390,?,00000FFF,?), ref: 0040360A

Strings

Line %d (File "%s"):, xrefs: 0040366B
Error: , xrefs: 004036EF
"%s" (%d) : ==> %s:, xrefs: 00403742
"%s" (%d) : ==> %s:%s%s, xrefs: 00403724
^ ERROR, xrefs: 004036C9

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: f9f649dde8af94bdfb805300dcc37710d81f011993635f9f2da6f99f21483e30
Instruction ID: eefea82a2c86ba7b8715a51aae11f9b2e2e9903f17ac3c663d49265c0ea4c520
Opcode Fuzzy Hash: f9f649dde8af94bdfb805300dcc37710d81f011993635f9f2da6f99f21483e30
Instruction Fuzzy Hash: E0518F71900209BADF16EFA0CC82EEEBB38AF14301F14412AF505771A1EB751A99DFA5

Function 0040C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0040C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0040C2CA
GetLastError.KERNEL32 ref: 0040C322
SetEvent.KERNEL32(?), ref: 0040C336
InternetCloseHandle.WININET(00000000), ref: 0040C341

Strings

, xrefs: 0040C2BB

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 4085ddcfd749d5b86de60d12b3a43ce413ce6f0313257d378f7f226a7dbaad07
Instruction ID: 255f11bd6be3dc7c2b371c6ff079bf67179cb133857d6e816125399076902c7e
Opcode Fuzzy Hash: 4085ddcfd749d5b86de60d12b3a43ce413ce6f0313257d378f7f226a7dbaad07
Instruction Fuzzy Hash: 07316171600604EFD7219F6588C4A6B7AFCEB49744B50463EF846E2280DB38DD059BA9

Function 003F989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,003D3AAF,?,?,Bad directive syntax error,0042CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 003F98BC
LoadStringW.USER32(00000000,?,003D3AAF,?), ref: 003F98C3

Part of subcall function 00399CB3: _wcslen.LIBCMT ref: 00399CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 003F9987

Strings

Line %d (File "%s"):, xrefs: 003F992D
Line %d:, xrefs: 003F9912
Error: , xrefs: 003F9955
%s (%d) : ==> %s.: %s %s, xrefs: 003F98F1
., xrefs: 003F996D

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: a438caa4f85b6eff3c8160e9230d898ac7259b1acc2e54d0cb5a8def24a82fbc
Instruction ID: 49ec1a15c268ffb5b16e8291d19b43722e8d60c262f9564e573c4b87e7b2bfd9
Opcode Fuzzy Hash: a438caa4f85b6eff3c8160e9230d898ac7259b1acc2e54d0cb5a8def24a82fbc
Instruction Fuzzy Hash: 4F217E3194021EABCF16AF90CC46FFE7739FF18301F44446AF9156A0A2EB759618CB64

Function 003F209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 003F20AB
GetClassNameW.USER32(00000000,?,00000100), ref: 003F20C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 003F214D

Strings

largeicons, xrefs: 003F20E1
smallicons, xrefs: 003F2115
list, xrefs: 003F212F
SHELLDLL_DefView, xrefs: 003F20CC
details, xrefs: 003F20FB

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: d5acc918d72cd23ce903667d69004465101f2fd056516d7753c677b7aab79f3f
Instruction ID: a23d90630dc7197dd64371fba516d68335b42c67577f87805599c546310167b2
Opcode Fuzzy Hash: d5acc918d72cd23ce903667d69004465101f2fd056516d7753c677b7aab79f3f
Instruction Fuzzy Hash: 4C110A7668470AF9FA132220DC1BDFB779CCF05325B210126FB04A94D3FE65A816551C

Function 003CCE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 003CCEB7
_free.LIBCMT ref: 003CCF22
_free.LIBCMT ref: 003CCF48
_free.LIBCMT ref: 003CCF71
_free.LIBCMT ref: 003CCFA9
_free.LIBCMT ref: 003CCFDA
_free.LIBCMT ref: 003CD01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 003CD09C
_free.LIBCMT ref: 003CD0B5

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: c6984d35408076aafe76b9decdb7167370f3e47f68d1a40d34a8140ba86b2605
Instruction ID: 931f9d3c2f8c5a0699dc4e53970624bbc03cd02632f8f67c9cbbfa757ba2e51b
Opcode Fuzzy Hash: c6984d35408076aafe76b9decdb7167370f3e47f68d1a40d34a8140ba86b2605
Instruction Fuzzy Hash: AB610671904311AFDB23AFB89C81F6A7BA9AF06360F05427DF949DB282E7729D018751

Function 003A8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 003E6890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 003E68A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 003E68B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 003E68D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 003E68F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,003A8874,00000000,00000000,00000000,000000FF,00000000), ref: 003E6901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 003E691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,003A8874,00000000,00000000,00000000,000000FF,00000000), ref: 003E692D

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 610a1812c2ef0ccfb1d0158ffd3a1144bc72fff29bd4c4eac574d4a0786e23ff
Instruction ID: 63b668c83bbc5c0f87802797406fae59141f181d30508f4a6ca8da8ca1ba2c0a
Opcode Fuzzy Hash: 610a1812c2ef0ccfb1d0158ffd3a1144bc72fff29bd4c4eac574d4a0786e23ff
Instruction Fuzzy Hash: 60518870600209EFDB22CF25CC96BAA7BB5FF59350F104628F912972E0DB70E991DB60

Function 0040C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0040C182
GetLastError.KERNEL32 ref: 0040C195
SetEvent.KERNEL32(?), ref: 0040C1A9

Part of subcall function 0040C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0040C272
Part of subcall function 0040C253: GetLastError.KERNEL32 ref: 0040C322
Part of subcall function 0040C253: SetEvent.KERNEL32(?), ref: 0040C336
Part of subcall function 0040C253: InternetCloseHandle.WININET(00000000), ref: 0040C341

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: b9b8540d17af71b4a6736c4b15f78b8e0783b391c0691126c1d66c02fc53d103
Instruction ID: a07cde3972c2ff41adab535307acea283f7c87130732f4afe722240f4ffb07e0
Opcode Fuzzy Hash: b9b8540d17af71b4a6736c4b15f78b8e0783b391c0691126c1d66c02fc53d103
Instruction Fuzzy Hash: 4131A271A00601EFDB219FA5DD84A6BBBF9FF54300B00467EF95696650C734E8119FA8

Function 003F25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 003F3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 003F3A57
Part of subcall function 003F3A3D: GetCurrentThreadId.KERNEL32 ref: 003F3A5E
Part of subcall function 003F3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,003F25B3), ref: 003F3A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 003F25BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 003F25DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 003F25DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 003F25E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 003F2601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 003F2605
MapVirtualKeyW.USER32(00000025,00000000), ref: 003F260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 003F2623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 003F2627

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: e2532f9416272e6dd4126004203cc82e8e553acd38b28fb0275363d70d719aba
Instruction ID: d2b494cbe0a439e72f95f66d825695b1a0cf558c8e60c0c6e9ae132b97cb4541
Opcode Fuzzy Hash: e2532f9416272e6dd4126004203cc82e8e553acd38b28fb0275363d70d719aba
Instruction Fuzzy Hash: 2001D430390614BBFB2067699CCAF6A3F59DF4EB12F500021F368AE0D1C9E224458A6E

Function 003F1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,003F1449,?,?,00000000), ref: 003F180C
HeapAlloc.KERNEL32(00000000,?,003F1449,?,?,00000000), ref: 003F1813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,003F1449,?,?,00000000), ref: 003F1828
GetCurrentProcess.KERNEL32(?,00000000,?,003F1449,?,?,00000000), ref: 003F1830
DuplicateHandle.KERNEL32(00000000,?,003F1449,?,?,00000000), ref: 003F1833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,003F1449,?,?,00000000), ref: 003F1843
GetCurrentProcess.KERNEL32(003F1449,00000000,?,003F1449,?,?,00000000), ref: 003F184B
DuplicateHandle.KERNEL32(00000000,?,003F1449,?,?,00000000), ref: 003F184E
CreateThread.KERNEL32(00000000,00000000,003F1874,00000000,00000000,00000000), ref: 003F1868

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 6079a493b69e063bd03c5232049e594c5990415e913803b6142d146ed9b5e64a
Instruction ID: d11bcb8427d2f18803f6a7e377f6fb90b043da2f379c4cbfe3e7e11c2e478168
Opcode Fuzzy Hash: 6079a493b69e063bd03c5232049e594c5990415e913803b6142d146ed9b5e64a
Instruction Fuzzy Hash: 1E01AC75740308BFE620AB65DC8AF6B3B6CEB89B11F504461FA05DB191C6709C158F64

Function 003C3E80 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 003C3F0B
__alldvrm.LIBCMT ref: 003C410C
__alldvrm.LIBCMT ref: 003C412E

Strings

}};, xrefs: 003C40CD
}};, xrefs: 003C3E8A
}};, xrefs: 003C3E96, 003C3EF1, 003C3F0A, 003C4090

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID: }};$}};$}};
API String ID: 1036877536-953129221
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: bec8e92da5e2c7bf7ced989d6133f9a3dabb50c7ce543cbaf717d90a5c972a24
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: CAA13572E103969FDB23CE18C8A1FAAFBE5EF65350F19456DE585DB281C2348D81C750

Function 0041A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 003FD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 003FD501
Part of subcall function 003FD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 003FD50F
Part of subcall function 003FD4DC: CloseHandle.KERNELBASE(00000000), ref: 003FD5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0041A16D
GetLastError.KERNEL32 ref: 0041A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0041A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0041A268
GetLastError.KERNEL32(00000000), ref: 0041A273
CloseHandle.KERNEL32(00000000), ref: 0041A2C4

Strings

SeDebugPrivilege, xrefs: 0041A18F

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: f32697eaebfef0329c57e1f95669a033d92c1440e94a7217833738a9fb33f69a
Instruction ID: f4009345c88bd979f2b997adb64ae073376015a7b33bf7481b8bee995e432930
Opcode Fuzzy Hash: f32697eaebfef0329c57e1f95669a033d92c1440e94a7217833738a9fb33f69a
Instruction Fuzzy Hash: 1561C131205202AFD721DF14C494F6ABBE1AF44318F58849DE45A8F7A3C776EC86CB86

Function 00423886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00423925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0042393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00423954
_wcslen.LIBCMT ref: 00423999
SendMessageW.USER32(?,00001057,00000000,?), ref: 004239C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 004239F4

Strings

SysListView32, xrefs: 004238F7

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 1bb52dec6e287fb48d6e3a39ba8d4e82053c36514fc3f6ddde98a47895bab3bb
Instruction ID: 54836daf14d1b1260d603543a7bcc3a385eeb0445ea79be3e86bcbec83fc6250
Opcode Fuzzy Hash: 1bb52dec6e287fb48d6e3a39ba8d4e82053c36514fc3f6ddde98a47895bab3bb
Instruction Fuzzy Hash: F241B471A00228ABDB219F64DC45BEF7BB9EF08354F500526F944E7281D7799D84CB98

Function 003FBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 003FBCFD
IsMenu.USER32(00000000), ref: 003FBD1D
CreatePopupMenu.USER32 ref: 003FBD53
GetMenuItemCount.USER32(00DE5488), ref: 003FBDA4
InsertMenuItemW.USER32(00DE5488,?,00000001,00000030), ref: 003FBDCC

Strings

2, xrefs: 003FBD37
0, xrefs: 003FBCA8

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: fb6fd7dd832fe8a3c124ef3992915fa5eb1acb719a16387fb2fc092d48b59702
Instruction ID: 64f4a0a8019455592588cdde49958ca00ccd3e86482e8563711203f6f36f3be5
Opcode Fuzzy Hash: fb6fd7dd832fe8a3c124ef3992915fa5eb1acb719a16387fb2fc092d48b59702
Instruction Fuzzy Hash: D4519EB0A0020DABDB22DFA8D984BBEFBF8AF45314F144229F651DB290D7709941CB52

Function 003B2D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 003B2D4B
___except_validate_context_record.LIBVCRUNTIME ref: 003B2D53
_ValidateLocalCookies.LIBCMT ref: 003B2DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 003B2E0C
_ValidateLocalCookies.LIBCMT ref: 003B2E61

Strings

&H;, xrefs: 003B2DFE, 003B2E07, 003B2E18
csm, xrefs: 003B2DF6

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &H;$csm
API String ID: 1170836740-2864433844
Opcode ID: 175bdcc8c973f0bb3175a837eff6085dc00157c0b1034fde62b59a105ba9cb61
Instruction ID: d01bcd14487294da4756d51e0cdfe8ded67c748c36c702f203fa22437a72df80
Opcode Fuzzy Hash: 175bdcc8c973f0bb3175a837eff6085dc00157c0b1034fde62b59a105ba9cb61
Instruction Fuzzy Hash: B341C834A002199BCF11DF68C845ADFBBB5FF44318F158269EA24AB792D731EA05CBD1

Function 003FC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 003FC913

Strings

stop, xrefs: 003FC8E4
question, xrefs: 003FC8CC
blank, xrefs: 003FC895
info, xrefs: 003FC8B4
warning, xrefs: 003FC8FC

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 3a1fc47e811deeb1dcf03ec0c57dcdc744cbe252c9ef166ebef4eba775af4e3f
Instruction ID: 50e80bb903eff6c3acce2db68e8b6fbff7e75aa92fdf8b35274f615f7221d217
Opcode Fuzzy Hash: 3a1fc47e811deeb1dcf03ec0c57dcdc744cbe252c9ef166ebef4eba775af4e3f
Instruction Fuzzy Hash: 7B1138316D930EBAEB029B109D82DBB639CCF15359B61103BFB00A6183E7A59E00526C

Function 003FDE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 003FDE42
gethostname.WSOCK32(?,00000100), ref: 003FDE5C
gethostbyname.WSOCK32(?), ref: 003FDE69
inet_ntoa.WSOCK32(?), ref: 003FDEAB
_strcat.LIBCMT ref: 003FDEB9
WSACleanup.WSOCK32 ref: 003FDEDE

Strings

0.0.0.0, xrefs: 003FDE87

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: a77ace3533cd9270d1baea70d479800e50ca9d200bb1caad62bc8c91fdbce41e
Instruction ID: 5dde7619992975c2482f410ffaee4b55b1e4a496e88f49d6a0edaba53520ce28
Opcode Fuzzy Hash: a77ace3533cd9270d1baea70d479800e50ca9d200bb1caad62bc8c91fdbce41e
Instruction Fuzzy Hash: A8113631904109AFCB32BB609C4AEEE77ADDF21715F01017AF6459E091EFB48A818A64

Function 003FED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 003FED2A
_wcslen.LIBCMT ref: 003FED3B
_wcslen.LIBCMT ref: 003FED79
_wcslen.LIBCMT ref: 003FEDAF
_wcslen.LIBCMT ref: 003FEDDF
_wcslen.LIBCMT ref: 003FEDEF
_wcslen.LIBCMT ref: 003FEE2B
_wcslen.LIBCMT ref: 003FEE5A

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: dace454748ce9d38a36965f47446afcfca66ff487cae97348bd05cfed7e7627d
Instruction ID: cacdb5776b55bad98699c4509b08e87db6837e19c89aa49b54898e17131096a2
Opcode Fuzzy Hash: dace454748ce9d38a36965f47446afcfca66ff487cae97348bd05cfed7e7627d
Instruction Fuzzy Hash: D2419465C1011876DB12EBF48C8A9DFB7A8AF45710F508862F614EB522FB34D255C3E9

Function 003AF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,003E682C,00000004,00000000,00000000), ref: 003AF953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,003E682C,00000004,00000000,00000000), ref: 003EF3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,003E682C,00000004,00000000,00000000), ref: 003EF454

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: ddae37aa13d6553f2fb551499cb7a17b55f182f8885e4d8df8673830eea30a50
Instruction ID: 07624452386b8fc0e2cc82801fcbb4104547bbeca90d5528d03e565ca0885e17
Opcode Fuzzy Hash: ddae37aa13d6553f2fb551499cb7a17b55f182f8885e4d8df8673830eea30a50
Instruction Fuzzy Hash: 54415B30208680BEC77B9B6EC8C876B7B96EF57314F55453CE087579A0D7B6A880CB51

Function 00422D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00422D1B
GetDC.USER32(00000000), ref: 00422D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00422D2E
ReleaseDC.USER32(00000000,00000000), ref: 00422D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00422D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00422D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00425A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00422DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00422DE1

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 6e8315ffb3b96717e97e81c4eb87460002cd9184cbdbfdb696da8fd5277a0e93
Instruction ID: f766154a7f9f491240919254bc1cf7fa5bf34ce7925693fc837d01538bd7f409
Opcode Fuzzy Hash: 6e8315ffb3b96717e97e81c4eb87460002cd9184cbdbfdb696da8fd5277a0e93
Instruction Fuzzy Hash: 24317F72211224BFEB214F50DC8AFEB3BA9EF09755F444065FE089A291C6B59C51CBA8

Function 003F5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 003F5637
_memcmp.LIBVCRUNTIME ref: 003F5659
_memcmp.LIBVCRUNTIME ref: 003F5671
_memcmp.LIBVCRUNTIME ref: 003F5684
_memcmp.LIBVCRUNTIME ref: 003F569E
_memcmp.LIBVCRUNTIME ref: 003F56B1
_memcmp.LIBVCRUNTIME ref: 003F56C9
_memcmp.LIBVCRUNTIME ref: 003F56E4

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: d61e5199c5bcee6bbd59a2bdbb5f86a43f45de186cc2e10ed2d0fff1bc5819e2
Instruction ID: 5fa26b006a59b7acfa87db3b996bc6b5c829a44e2480e2909cb1e18ef5abfdc9
Opcode Fuzzy Hash: d61e5199c5bcee6bbd59a2bdbb5f86a43f45de186cc2e10ed2d0fff1bc5819e2
Instruction Fuzzy Hash: 5021F562744A1D77D21666219D92FFA239CAE203C9FD40031FF19DEA81F724ED1481A9

Function 00414FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00415007
NULL Pointer assignment, xrefs: 0041502E, 00415383

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: ad4a01f849a5f2c78dd8233af63d6057d42400518f3dcb1ef569df6eb5f3f3b7
Instruction ID: 8e236a22007e9213d9190555decfc945879c1d3b52c20fdf44ec2f4adab2d56c
Opcode Fuzzy Hash: ad4a01f849a5f2c78dd8233af63d6057d42400518f3dcb1ef569df6eb5f3f3b7
Instruction Fuzzy Hash: D3D19F75A0060AEFDF10CF98D880BEEB7B5BF88344F14816AE915AB281D774DD85CB94

Function 003D1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,003D17FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 003D15CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,003D17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 003D1651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,003D17FB,?,003D17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 003D16E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,003D17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 003D16FB

Part of subcall function 003C3820: HeapAlloc.KERNEL32(00000000,?,00461444,?,003AFDF5,?,?,0039A976,00000010,00461440,003913FC,?,003913C6,?,00391129), ref: 003C3852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,003D17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 003D1777
__freea.LIBCMT ref: 003D17A2
__freea.LIBCMT ref: 003D17AE

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocHeapInfo
String ID:
API String ID: 2171645-0
Opcode ID: c893e7d6142a989a31886df3a9e8b4868117ab6fb94647a25e07841927923483
Instruction ID: 11c560d43a6570c8b30b7512b502cf68c413f5d670773f7ab732046a922f2d73
Opcode Fuzzy Hash: c893e7d6142a989a31886df3a9e8b4868117ab6fb94647a25e07841927923483
Instruction Fuzzy Hash: F491C573E00216BBDB228E74E881AEE7BB6AF45310F19465AF805E7351D739DD44CB60

Function 00414523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00414648
VariantInit.OLEAUT32(?), ref: 00414749
VariantClear.OLEAUT32(?), ref: 00414753
VariantClear.OLEAUT32(?), ref: 004147B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0041472C
Null Object assignment in FOR..IN loop, xrefs: 004145D8, 00414706, 004147BE

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: bdf90ad48fc274528bd254bc3af478bc007773e54b34d6c5a35648af8aaecca4
Instruction ID: a96bb87dabeb4858f90c5579f5733297202c826cc5d8a46cfbf2844d6e3519b2
Opcode Fuzzy Hash: bdf90ad48fc274528bd254bc3af478bc007773e54b34d6c5a35648af8aaecca4
Instruction Fuzzy Hash: 4E91A271A00215ABDF20CFA4C844FEF7BB8EF86714F10856AF515AB281D7789985CBA4

Function 00401187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0040125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00401284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 004012A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 004012D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0040135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 004013C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00401430

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 73f4cff7a4c3abe2bc1214df2071dbfda7f1e3c1402e00a25699335a1bb7e572
Instruction ID: a144f1654f61bef9eb67684c0d0d3f375fc3cc59aab824afd1b75863070ee5e1
Opcode Fuzzy Hash: 73f4cff7a4c3abe2bc1214df2071dbfda7f1e3c1402e00a25699335a1bb7e572
Instruction Fuzzy Hash: 2B91CF71A002189FEB119F94C885BBEB7B5FF45314F14407AE901FB2E1D778A942CB99

Function 003A948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 3853e3680a6048ea42e841eb262db59b5fc7ab2152ea8d0a30b0d9776016d033
Instruction ID: b1a8045650ddaec4fd629968ac912a48aa6f83047229b7ca834a5dda3db505c5
Opcode Fuzzy Hash: 3853e3680a6048ea42e841eb262db59b5fc7ab2152ea8d0a30b0d9776016d033
Instruction Fuzzy Hash: BA916B71D00219EFCB12CFA9CC85AEEBBB9FF4A320F144556E515B7251D374A942CB60

Function 00413947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0041396B
CharUpperBuffW.USER32(?,?), ref: 00413A7A
_wcslen.LIBCMT ref: 00413A8A
VariantClear.OLEAUT32(?), ref: 00413C1F

Part of subcall function 00400CDF: VariantInit.OLEAUT32(00000000), ref: 00400D1F
Part of subcall function 00400CDF: VariantCopy.OLEAUT32(?,?), ref: 00400D28
Part of subcall function 00400CDF: VariantClear.OLEAUT32(?), ref: 00400D34

Strings

AUTOIT.ERROR, xrefs: 00413A80, 00413A85
Incorrect Parameter format, xrefs: 004139A6, 00413BA1

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 4aff484d71bc6bf534f220cc39ee6890ff6070ea1a77e35492cb6cb75720f9e8
Instruction ID: 0d1082614a8e38f7fb4c394cb6e8d8cdf463c1faf0d8166a4fb635b3dff3b474
Opcode Fuzzy Hash: 4aff484d71bc6bf534f220cc39ee6890ff6070ea1a77e35492cb6cb75720f9e8
Instruction Fuzzy Hash: 6B917A756083059FCB04DF28C4809AAB7E4FF89715F14896EF88A9B351DB34EE45CB86

Function 00414BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 003F000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,003EFF41,80070057,?,?,?,003F035E), ref: 003F002B
Part of subcall function 003F000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,003EFF41,80070057,?,?), ref: 003F0046
Part of subcall function 003F000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,003EFF41,80070057,?,?), ref: 003F0054
Part of subcall function 003F000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,003EFF41,80070057,?), ref: 003F0064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00414C51
_wcslen.LIBCMT ref: 00414D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00414DCF
CoTaskMemFree.OLE32(?), ref: 00414DDA

Strings

NULL Pointer assignment, xrefs: 00414E23, 00414E52

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 76ab6878ce179fde52e69deff81ee7df3bdd8bcf1c2eb0c7ff8aaef9ed41747a
Instruction ID: 89f1945d84142f4f3078a31351fb8fca548e7f972526324668dc66619f8d3588
Opcode Fuzzy Hash: 76ab6878ce179fde52e69deff81ee7df3bdd8bcf1c2eb0c7ff8aaef9ed41747a
Instruction Fuzzy Hash: 73914771D0021DAFDF15DFA4D891EEEB7B8BF48304F10816AE915AB251EB349A45CFA0

Function 004220FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00422183
GetMenuItemCount.USER32(00000000), ref: 004221B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 004221DD
_wcslen.LIBCMT ref: 00422213
GetMenuItemID.USER32(?,?), ref: 0042224D
GetSubMenu.USER32(?,?), ref: 0042225B

Part of subcall function 003F3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 003F3A57
Part of subcall function 003F3A3D: GetCurrentThreadId.KERNEL32 ref: 003F3A5E
Part of subcall function 003F3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,003F25B3), ref: 003F3A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 004222E3

Part of subcall function 003FE97B: Sleep.KERNEL32 ref: 003FE9F3

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 098de25a44831d3e86a07c656a2b7c8f024329f39ec89d37ded32621a7d74094
Instruction ID: a0fd685c947b64f0d63c2925092a7eaeba6fa59b1d5ab452250b71c67585fe69
Opcode Fuzzy Hash: 098de25a44831d3e86a07c656a2b7c8f024329f39ec89d37ded32621a7d74094
Instruction Fuzzy Hash: 6071B235A00215EFCB11DF64D981AAEB7F1EF48310F5084A9E816EB351D779ED428BA4

Function 00427E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00DE5690), ref: 00427F37
IsWindowEnabled.USER32(00DE5690), ref: 00427F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0042801E
SendMessageW.USER32(00DE5690,000000B0,?,?), ref: 00428051
IsDlgButtonChecked.USER32(?,?), ref: 00428089
GetWindowLongW.USER32(00DE5690,000000EC), ref: 004280AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 004280C3

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: f7b59bff0e8d39a214f97c36df1ab8cb30ad1d3e3e86176bee0e6c66e581a763
Instruction ID: 0282005ce69e532983ae86a7f86e784e923f58bd9c3de9cf6eb01f06478bee58
Opcode Fuzzy Hash: f7b59bff0e8d39a214f97c36df1ab8cb30ad1d3e3e86176bee0e6c66e581a763
Instruction Fuzzy Hash: 4B71F03470D224AFEB209F20E984FAF7BB5EF09340F95005AE945973A1CB79A845CB19

Function 003FAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 003FAEF9
GetKeyboardState.USER32(?), ref: 003FAF0E
SetKeyboardState.USER32(?), ref: 003FAF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 003FAF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 003FAFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 003FAFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 003FB020

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 28249253f7563e18a1259e5f8e3caf35b7fd2814bfc049c4c0be839860cd4b29
Instruction ID: e44e2d3e03c3ed1ff44304581ab9fce7849f8ff3f4dc7ae094519a02aa755a7a
Opcode Fuzzy Hash: 28249253f7563e18a1259e5f8e3caf35b7fd2814bfc049c4c0be839860cd4b29
Instruction Fuzzy Hash: DD51B4E0604BDA3DFB374234CC45BBABEE96B06304F098589E2D9598C2D7D9ACC8D751

Function 003FACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 003FAD19
GetKeyboardState.USER32(?), ref: 003FAD2E
SetKeyboardState.USER32(?), ref: 003FAD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 003FADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 003FADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 003FAE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 003FAE38

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 758aa66b7338abc9272918c48ce6bbdcd904a835b4a051f8d78c6c0ad0522d15
Instruction ID: c1275f66d00f826704b1f7a2747e373bf47ad15eff5e3c28b0504a6ed12ad72b
Opcode Fuzzy Hash: 758aa66b7338abc9272918c48ce6bbdcd904a835b4a051f8d78c6c0ad0522d15
Instruction Fuzzy Hash: CE51E6E1504BD93DFB378334CC95B7ABEA96B45300F098488F2DD4A8D2C294EC88E752

Function 003C542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(003D3CD6,?,?,?,?,?,?,?,?,003C5BA3,?,?,003D3CD6,?,?), ref: 003C5470
__fassign.LIBCMT ref: 003C54EB
__fassign.LIBCMT ref: 003C5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,003D3CD6,00000005,00000000,00000000), ref: 003C552C
WriteFile.KERNEL32(?,003D3CD6,00000000,003C5BA3,00000000,?,?,?,?,?,?,?,?,?,003C5BA3,?), ref: 003C554B
WriteFile.KERNEL32(?,?,00000001,003C5BA3,00000000,?,?,?,?,?,?,?,?,?,003C5BA3,?), ref: 003C5584

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: a285ad5bff5f18714961476d43d602b51c349047d7190f986c9b3d8e2806fa23
Instruction ID: cb640a6e84652309595ea80386d00769aab244346222c2c10fe5de31ca2cc2b9
Opcode Fuzzy Hash: a285ad5bff5f18714961476d43d602b51c349047d7190f986c9b3d8e2806fa23
Instruction Fuzzy Hash: A0519271A006099FDB11CFA8D885FEEBBF9EF09300F14451EE556E7291D670AE81CB64

Function 004110B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0041304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0041307A
Part of subcall function 0041304E: _wcslen.LIBCMT ref: 0041309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00411112
WSAGetLastError.WSOCK32 ref: 00411121
WSAGetLastError.WSOCK32 ref: 004111C9
closesocket.WSOCK32(00000000), ref: 004111F9

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: f5ae6d5843c017cc4350cacc0edafff85f8e5d8e138ec800522d8c7179efde36
Instruction ID: 0f3566a6f4d970acd768c202b5d9201cb2ba4c540e62dfd269fa1a93b0c8d0e9
Opcode Fuzzy Hash: f5ae6d5843c017cc4350cacc0edafff85f8e5d8e138ec800522d8c7179efde36
Instruction Fuzzy Hash: 8741C631600204AFDB109F14C884BEAF7E9EF49324F14806AFA159B2A1D774AD81CBE5

Function 003FCF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 003FDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,003FCF22,?), ref: 003FDDFD

Part of subcall function 003FDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,003FCF22,?), ref: 003FDE16

lstrcmpiW.KERNEL32(?,?), ref: 003FCF45
MoveFileW.KERNEL32(?,?), ref: 003FCF7F
_wcslen.LIBCMT ref: 003FD005
_wcslen.LIBCMT ref: 003FD01B
SHFileOperationW.SHELL32(?), ref: 003FD061

Strings

\*.*, xrefs: 003FCFF3

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: cb3773de9ab2699f4915602704ee3b3a4ec0aebff694fe52d66cb557a7331923
Instruction ID: fee6d5493924971a5d7941f14a78cfa45ba53c87307c6eecffbbccc119811a9d
Opcode Fuzzy Hash: cb3773de9ab2699f4915602704ee3b3a4ec0aebff694fe52d66cb557a7331923
Instruction Fuzzy Hash: A941567194521D5FDF13EBA4CA81AEEB7B9AF08340F1000E6E605EB152EF34A744CB50

Function 00422DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00422E1C
GetWindowLongW.USER32(?,000000F0), ref: 00422E4F
GetWindowLongW.USER32(?,000000F0), ref: 00422E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00422EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00422EE0
GetWindowLongW.USER32(?,000000F0), ref: 00422EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00422F0B

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: e677353766d70072f34dd9524bad018c1d32fe443e7a9b0808c45ea8d463ed66
Instruction ID: cbbcee62506237c07868c52a4749decb3648cc31463ab4f3a1d68899c3f6e51f
Opcode Fuzzy Hash: e677353766d70072f34dd9524bad018c1d32fe443e7a9b0808c45ea8d463ed66
Instruction Fuzzy Hash: B4310730704160AFDB21CF58ED84F6A37E1EB5A710F9A0166F9148F2B1CBB5A845EF49

Function 003F7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 003F7769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 003F778F
SysAllocString.OLEAUT32(00000000), ref: 003F7792
SysAllocString.OLEAUT32(?), ref: 003F77B0
SysFreeString.OLEAUT32(?), ref: 003F77B9
StringFromGUID2.OLE32(?,?,00000028), ref: 003F77DE
SysAllocString.OLEAUT32(?), ref: 003F77EC

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 53e2fdbb2d0acecf355c5fca6443de4aac6742c6576bc4bce98f18c05003c1f1
Instruction ID: b85e25a7bea931079e032ab13a0077b3870610c2a033287b4e26044d3a85cc91
Opcode Fuzzy Hash: 53e2fdbb2d0acecf355c5fca6443de4aac6742c6576bc4bce98f18c05003c1f1
Instruction Fuzzy Hash: 3D21AE7661821DAFDB21EFA8CC88CBB73ACEB093647508025FA14DB160D670DC468BA4

Function 003F77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 003F7842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 003F7868
SysAllocString.OLEAUT32(00000000), ref: 003F786B
SysAllocString.OLEAUT32 ref: 003F788C
SysFreeString.OLEAUT32 ref: 003F7895
StringFromGUID2.OLE32(?,?,00000028), ref: 003F78AF
SysAllocString.OLEAUT32(?), ref: 003F78BD

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 465e75bd1a7c9e507ca453e337de1912a70a6a11bfb02207d633d47fa5524a0d
Instruction ID: fb4f1911f353dda29e6ce9d939c922c775607600f9c0716e40dd33c38d1f4e8a
Opcode Fuzzy Hash: 465e75bd1a7c9e507ca453e337de1912a70a6a11bfb02207d633d47fa5524a0d
Instruction Fuzzy Hash: D3217431604108AFDB21AFA8DC8DDBB77ECEB097A07518135FA15CB2A1D670DC41CB68

Function 004004D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 004004F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0040052E

Strings

nul, xrefs: 00400567

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 22815ae89d7f8769d86e5670b5d2689395da6d8dbcceec421edafba7170d6157
Instruction ID: fcd6650e405094b5d8882ed3fd503b4421d8825b4ed10d5220d07971bb5919b1
Opcode Fuzzy Hash: 22815ae89d7f8769d86e5670b5d2689395da6d8dbcceec421edafba7170d6157
Instruction Fuzzy Hash: A4218B71A00305ABDB20DF29DC44B9A7BB4AF45724F604A3AF8A1E72E0D7749941CF28

Function 004005A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 004005C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00400601

Strings

nul, xrefs: 00400639

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: d13f92c35931a278313c7c5a07be51adc4acc7365471eb55b9296eceda54c0a7
Instruction ID: e6c5dd11d82c66314dac183432f45c6b85dc39773253136075fb72222e3a4166
Opcode Fuzzy Hash: d13f92c35931a278313c7c5a07be51adc4acc7365471eb55b9296eceda54c0a7
Instruction Fuzzy Hash: E62191356003059BDB208F699C44F9A77A5AF85720F200E3AE8A1F33D0D7759961CB28

Function 004240AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0039600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0039604C
Part of subcall function 0039600E: GetStockObject.GDI32(00000011), ref: 00396060
Part of subcall function 0039600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0039606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00424112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0042411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0042412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00424139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00424145

Strings

Msctls_Progress32, xrefs: 004240E3

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 33932ada002bdfd74c24c50399083b8057bdfcc52a0523b5d1490dc3e5c187a2
Instruction ID: 72d1a3edec5ae581c23584fcc09ec5e97933fdecf17ebe1a349d55db5b0f90cc
Opcode Fuzzy Hash: 33932ada002bdfd74c24c50399083b8057bdfcc52a0523b5d1490dc3e5c187a2
Instruction Fuzzy Hash: 5211B6B12402297EEF119F64DC86EE77F5DEF08798F014111FA18A6190CB769C61DBA8

Function 003CD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 003CD7A3: _free.LIBCMT ref: 003CD7CC

_free.LIBCMT ref: 003CD82D

Part of subcall function 003C29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,003CD7D1,00000000,00000000,00000000,00000000,?,003CD7F8,00000000,00000007,00000000,?,003CDBF5,00000000), ref: 003C29DE
Part of subcall function 003C29C8: GetLastError.KERNEL32(00000000,?,003CD7D1,00000000,00000000,00000000,00000000,?,003CD7F8,00000000,00000007,00000000,?,003CDBF5,00000000,00000000), ref: 003C29F0

_free.LIBCMT ref: 003CD838
_free.LIBCMT ref: 003CD843
_free.LIBCMT ref: 003CD897
_free.LIBCMT ref: 003CD8A2
_free.LIBCMT ref: 003CD8AD
_free.LIBCMT ref: 003CD8B8

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: c162363d710ee32c673f863df5bf7af26ec31a8a85f44e37c0c86764d0eb59d1
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 0911C971541B04AAD622BFB0CC46FCB7BDCAF05700F40582DB29DEA992DB76A9158760

Function 003FDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 003FDA74
LoadStringW.USER32(00000000), ref: 003FDA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 003FDA91
LoadStringW.USER32(00000000), ref: 003FDA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 003FDADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 003FDAB9

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 9c570b22ed86f92f044c22de0f220496eb0563f72fbfa5383eee34616407dab6
Instruction ID: 74d07d0453bb75cfc0db69d4c5aaa6c8ba0aa69094b78371d07ff0d56b4ea4fe
Opcode Fuzzy Hash: 9c570b22ed86f92f044c22de0f220496eb0563f72fbfa5383eee34616407dab6
Instruction Fuzzy Hash: F10136F6A002087FEB519BA49DC9FFB776CEB08701F8044A6B746E6041E6749E854F78

Function 0040096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00DDE378,00DDE378), ref: 0040097B
EnterCriticalSection.KERNEL32(00DDE358,00000000), ref: 0040098D
TerminateThread.KERNEL32(?,000001F6), ref: 0040099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 004009A9
CloseHandle.KERNEL32(?), ref: 004009B8
InterlockedExchange.KERNEL32(00DDE378,000001F6), ref: 004009C8
LeaveCriticalSection.KERNEL32(00DDE358), ref: 004009CF

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: ccd4ddd92be5839f71424e4a2fe57be54a03b83860cf7f9ffa7f502315b310b9
Instruction ID: bceee5b0792a7fb5c9b2187d3095b85c9aa4abafdf1d8388edfc319d53017b67
Opcode Fuzzy Hash: ccd4ddd92be5839f71424e4a2fe57be54a03b83860cf7f9ffa7f502315b310b9
Instruction Fuzzy Hash: AAF01D71942902EBD7615B94EEC9BDA7A25BF01702F901076F101608A0CB749466CFA8

Function 00411C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00411DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00411DE1
WSAGetLastError.WSOCK32 ref: 00411DF2
htons.WSOCK32(?,?,?,?,?), ref: 00411EDB
inet_ntoa.WSOCK32(?), ref: 00411E8C

Part of subcall function 003F39E8: _strlen.LIBCMT ref: 003F39F2

Part of subcall function 00413224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0040EC0C), ref: 00413240

_strlen.LIBCMT ref: 00411F35

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 1cac5df6f06c2a9efb892beffa4dba7d35b3f329da6a1958f4380a794424369d
Instruction ID: 813c07b6a55d6da424d2307a7c28350defc9063830179a989a66689270c8af90
Opcode Fuzzy Hash: 1cac5df6f06c2a9efb892beffa4dba7d35b3f329da6a1958f4380a794424369d
Instruction Fuzzy Hash: 23B1E031204300AFC725EF24C885E6A7BA5AF85318F54894DF5565F3A2DB35ED82CB92

Function 00395D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00395D30
GetWindowRect.USER32(?,?), ref: 00395D71
ScreenToClient.USER32(?,?), ref: 00395D99
GetClientRect.USER32(?,?), ref: 00395ED7
GetWindowRect.USER32(?,?), ref: 00395EF8

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 067307da1ba1ff7ada2a1d79effd48fde5cdf627edd584713f9791e8d887549e
Instruction ID: bb022c0cb6f72ee13905939e2dc3c586f9dd48fec9fad1510f44731bf2ff57c7
Opcode Fuzzy Hash: 067307da1ba1ff7ada2a1d79effd48fde5cdf627edd584713f9791e8d887549e
Instruction Fuzzy Hash: B7B16935A0064ADBDF12CFA9C4807EEB7F5FF48310F14841AE8A9D7650DB30AA91DB54

Function 003C01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 003C00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003C00D6
__allrem.LIBCMT ref: 003C00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003C010B
__allrem.LIBCMT ref: 003C0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003C0140

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 49e0654e90e5d948be6eb0d42694d5354e689f294a2bb4733ebd0f4276d773b9
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 2A81E376A00B06AFE7269E68CC42FABB3A8AF41724F25463EF551DA681E770DD008750

Function 003C61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,003B82D9,003B82D9,?,?,?,003C644F,00000001,00000001,8BE85006), ref: 003C6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,003C644F,00000001,00000001,8BE85006,?,?,?), ref: 003C62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 003C63D8
__freea.LIBCMT ref: 003C63E5

Part of subcall function 003C3820: HeapAlloc.KERNEL32(00000000,?,00461444,?,003AFDF5,?,?,0039A976,00000010,00461440,003913FC,?,003913C6,?,00391129), ref: 003C3852

__freea.LIBCMT ref: 003C63EE
__freea.LIBCMT ref: 003C6413

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocHeap
String ID:
API String ID: 3147120248-0
Opcode ID: 97c45afcd7f1167e91311e070ee82a58484833e41ac253bbd220c893714a8f08
Instruction ID: f44b95a02d81ff431f90e2c46fc34f063aa28b54ae8b1a426a803688f66be072
Opcode Fuzzy Hash: 97c45afcd7f1167e91311e070ee82a58484833e41ac253bbd220c893714a8f08
Instruction Fuzzy Hash: 9F519E72600256ABEB278F64DC82FAF77A9EB44750F16462DF805DA191DB34DC40D760

Function 0041BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00399CB3: _wcslen.LIBCMT ref: 00399CBD

Part of subcall function 0041C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0041B6AE,?,?), ref: 0041C9B5
Part of subcall function 0041C998: _wcslen.LIBCMT ref: 0041C9F1
Part of subcall function 0041C998: _wcslen.LIBCMT ref: 0041CA68
Part of subcall function 0041C998: _wcslen.LIBCMT ref: 0041CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0041BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0041BD25
RegCloseKey.ADVAPI32(00000000), ref: 0041BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0041BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0041BDF3
RegCloseKey.ADVAPI32(?), ref: 0041BDFF

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 4e75ce3ab923371688c7567ce49dfeba84980733d96841a36cb7f2e0690d9dbb
Instruction ID: 788a194f35d533a9c6f36a70aacde7184589c16b1f406e28df445266f60a0469
Opcode Fuzzy Hash: 4e75ce3ab923371688c7567ce49dfeba84980733d96841a36cb7f2e0690d9dbb
Instruction Fuzzy Hash: 9B819E30208241EFD715DF24C885E6ABBE5FF84308F14856EF4598B2A2DB35ED85CB92

Function 003EF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 003EF7B9
SysAllocString.OLEAUT32(00000001), ref: 003EF860
VariantCopy.OLEAUT32(003EFA64,00000000), ref: 003EF889
VariantClear.OLEAUT32(003EFA64), ref: 003EF8AD
VariantCopy.OLEAUT32(003EFA64,00000000), ref: 003EF8B1
VariantClear.OLEAUT32(?), ref: 003EF8BB

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 0ab7fc129ae521b11b3d2252135dbff8122e7eb63324c271c9f6dc8b62a33d7b
Instruction ID: 8115c05e940e3347ea03147ea13c2642ec7331de932cdb11d9688d8a0ce7faf3
Opcode Fuzzy Hash: 0ab7fc129ae521b11b3d2252135dbff8122e7eb63324c271c9f6dc8b62a33d7b
Instruction Fuzzy Hash: 9D51B831600360FFDF26AB66D895729B3A8EF45310B245667F905DF2D6D7B08C40CB56

Function 0040910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00397620: _wcslen.LIBCMT ref: 00397625

Part of subcall function 00396B57: _wcslen.LIBCMT ref: 00396B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 004094E5
_wcslen.LIBCMT ref: 00409506
_wcslen.LIBCMT ref: 0040952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00409585

Strings

X, xrefs: 00409412

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: b1526d432229ae6f150cb515307d2b6a3deaeca678f07c048bd400ca3361d881
Instruction ID: e01fd8a5b45b869d408fe59dccd870a7f89bc7ce792a2165f6a531734de7b403
Opcode Fuzzy Hash: b1526d432229ae6f150cb515307d2b6a3deaeca678f07c048bd400ca3361d881
Instruction Fuzzy Hash: 33E192715083009FCB25EF25C881A6BB7E4BF85314F04896EF8999B3A2DB35DD05CB96

Function 003A920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 003A9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 003A9BB2

BeginPaint.USER32(?,?,?), ref: 003A9241
GetWindowRect.USER32(?,?), ref: 003A92A5
ScreenToClient.USER32(?,?), ref: 003A92C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 003A92D3
EndPaint.USER32(?,?,?,?,?), ref: 003A9321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 003E71EA

Part of subcall function 003A9339: BeginPath.GDI32(00000000), ref: 003A9357

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: f6fcca57d4a12f2af02ff05ab1e0493eafaa2d53d108d130d52d562b00444baa
Instruction ID: 033953f8558d619d27bbb0a1018a0d1205d9e4fffabec0d211f2f2ac77deba3b
Opcode Fuzzy Hash: f6fcca57d4a12f2af02ff05ab1e0493eafaa2d53d108d130d52d562b00444baa
Instruction Fuzzy Hash: 3C41BE70204310AFDB22DF25C885FAA7BB8EF4A320F14062AF994971F1D7709845DB62

Function 004007EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0040080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00400847
EnterCriticalSection.KERNEL32(?), ref: 00400863
LeaveCriticalSection.KERNEL32(?), ref: 004008DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 004008F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00400921

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 7c81ba57c025f758601f98b30b45fdd520d41ce721c9d8319364adae73b228dc
Instruction ID: 4e80aa6497fa6edc54e4c0a82f0ff249db12d4376b03f75500d5741ba0ce391b
Opcode Fuzzy Hash: 7c81ba57c025f758601f98b30b45fdd520d41ce721c9d8319364adae73b228dc
Instruction Fuzzy Hash: EF413A71A00205EFDF15AF94DC85AAA77B8FF05310F1480B5ED00AE296DB34DE65DBA8

Function 004281DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,003EF3AB,00000000,?,?,00000000,?,003E682C,00000004,00000000,00000000), ref: 0042824C
EnableWindow.USER32(?,00000000), ref: 00428272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 004282D1
ShowWindow.USER32(?,00000004), ref: 004282E5
EnableWindow.USER32(?,00000001), ref: 0042830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0042832F

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 0d32cff5f52eea2bcea350726d03ca0ac5fd9a8fef0ee0629982e9c50a0444a4
Instruction ID: a0055933c46f187df4bea1caa8fb6ac65aabfb6fea0f31184eacb5324096f47b
Opcode Fuzzy Hash: 0d32cff5f52eea2bcea350726d03ca0ac5fd9a8fef0ee0629982e9c50a0444a4
Instruction Fuzzy Hash: 2D41D330702654EFDB21CF14E895BA97BE0BB05714F5801BEE9084B272CB76A845CF59

Function 003F4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 003F4C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 003F4CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 003F4CEA
_wcslen.LIBCMT ref: 003F4D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 003F4D10
_wcsstr.LIBVCRUNTIME ref: 003F4D1A

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: a8902c9a412ad5d2bdd520b1c7650bd3c7817d5f9c44fe8192b7f006bb55a8d0
Instruction ID: b11dec58211219d8905c9ba96708df7db2ddbbbe692748bfeb1c5f9283431f63
Opcode Fuzzy Hash: a8902c9a412ad5d2bdd520b1c7650bd3c7817d5f9c44fe8192b7f006bb55a8d0
Instruction Fuzzy Hash: E4210832204204BFEB275B79EC49E7F7B9CDF45750F118039FA05CE1A2EA61DC0196A4

Function 0040581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00393AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00393A97,?,?,00392E7F,?,?,?,00000000), ref: 00393AC2

_wcslen.LIBCMT ref: 0040587B
CoInitialize.OLE32(00000000), ref: 00405995
CoCreateInstance.OLE32(0042FCF8,00000000,00000001,0042FB68,?), ref: 004059AE
CoUninitialize.OLE32 ref: 004059CC

Strings

.lnk, xrefs: 00405876, 004058C1, 00405985

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: a5f2fe74a2454afdaff5fa249e63aeede38bbdabb9b0085eeb525a6f295c2084
Instruction ID: 53a5e9fdc2c004c59a8e9676785ee7d616feeb483626c9c25b6ae6d0d70abcc4
Opcode Fuzzy Hash: a5f2fe74a2454afdaff5fa249e63aeede38bbdabb9b0085eeb525a6f295c2084
Instruction Fuzzy Hash: DCD143716086019FCB14DF24C480A2BBBE5EF89714F15886AF889AB3A1D735EC45CF96

Function 003F175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 003F0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 003F0FCA
Part of subcall function 003F0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 003F0FD6
Part of subcall function 003F0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 003F0FE5
Part of subcall function 003F0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 003F0FEC
Part of subcall function 003F0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 003F1002

GetLengthSid.ADVAPI32(?,00000000,003F1335), ref: 003F17AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 003F17BA
HeapAlloc.KERNEL32(00000000), ref: 003F17C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 003F17DA
GetProcessHeap.KERNEL32(00000000,00000000,003F1335), ref: 003F17EE
HeapFree.KERNEL32(00000000), ref: 003F17F5

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: a6eb709de7d3b37edcae24fa30e59e0a417ab069807825f1054f25f05268b663
Instruction ID: 71342b5811a0348fe366093b159e0f5df3f58ef6cfb59b1bdaf4caf2224842ec
Opcode Fuzzy Hash: a6eb709de7d3b37edcae24fa30e59e0a417ab069807825f1054f25f05268b663
Instruction Fuzzy Hash: 8111BE31A00209FFDB21AFA4DC8ABBF7BA9EF41355F504068F54597210C736A949CB60

Function 003F14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 003F14FF
OpenProcessToken.ADVAPI32(00000000), ref: 003F1506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 003F1515
CloseHandle.KERNEL32(00000004), ref: 003F1520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 003F154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 003F1563

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: e10ded174ed10a8bdca9445e1f7118714e46660dbde228f7e918aeb863f0fd37
Instruction ID: 3238bbc093a6309e3901d1ac2e9a40ad9cd70d9f3867547b7fbb70f6c227c86c
Opcode Fuzzy Hash: e10ded174ed10a8bdca9445e1f7118714e46660dbde228f7e918aeb863f0fd37
Instruction Fuzzy Hash: 5111297260024DEBDF22CF98ED49BEE7BA9EF49744F154025FA05A2060C3758E61DB64

Function 003B3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,003B3379,003B2FE5), ref: 003B3390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 003B339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 003B33B7
SetLastError.KERNEL32(00000000,?,003B3379,003B2FE5), ref: 003B3409

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: d22786708c26024275356b12f8262127b7d45cd7dd429d984e3ab8fea5118a6b
Instruction ID: 6b8c5b52c17e8df1e5b27baf7b73725c9b6514635ba847ecb86ff750b7726f6a
Opcode Fuzzy Hash: d22786708c26024275356b12f8262127b7d45cd7dd429d984e3ab8fea5118a6b
Instruction Fuzzy Hash: 0D012832309331BEA62727B5BCC67DB2B94DB0577E7200239F710859F1EF218D019148

Function 003C2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,003C5686,003D3CD6,?,00000000,?,003C5B6A,?,?,?,?,?,003BE6D1,?,00458A48), ref: 003C2D78
_free.LIBCMT ref: 003C2DAB
_free.LIBCMT ref: 003C2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,003BE6D1,?,00458A48,00000010,00394F4A,?,?,00000000,003D3CD6), ref: 003C2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,003BE6D1,?,00458A48,00000010,00394F4A,?,?,00000000,003D3CD6), ref: 003C2DEC
_abort.LIBCMT ref: 003C2DF2

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 073b03174a2df923653c6ee93925015cbaa44c16c7374cf9855013f9790c64bb
Instruction ID: 778014faf1d064d1c8ab73ad6a00706e1d646a47c9900021aad70c70d24ea736
Opcode Fuzzy Hash: 073b03174a2df923653c6ee93925015cbaa44c16c7374cf9855013f9790c64bb
Instruction Fuzzy Hash: C1F0A431644B006BC6236738AC4EF5F2659ABD27A1F26492CF835D61D2EF248C024365

Function 00428A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 003A9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 003A9693
Part of subcall function 003A9639: SelectObject.GDI32(?,00000000), ref: 003A96A2
Part of subcall function 003A9639: BeginPath.GDI32(?), ref: 003A96B9
Part of subcall function 003A9639: SelectObject.GDI32(?,00000000), ref: 003A96E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00428A4E
LineTo.GDI32(?,00000003,00000000), ref: 00428A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00428A70
LineTo.GDI32(?,00000000,00000003), ref: 00428A80
EndPath.GDI32(?), ref: 00428A90
StrokePath.GDI32(?), ref: 00428AA0

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: b96e91c024ba28b7a0c5cf5771bb062e18fe7c17dc4b86bb61618a9a7059c2a5
Instruction ID: f89823f493bcd33fc03c84773ae29d9d6299bd4fa096c422b101cb1b930d4da2
Opcode Fuzzy Hash: b96e91c024ba28b7a0c5cf5771bb062e18fe7c17dc4b86bb61618a9a7059c2a5
Instruction Fuzzy Hash: 0F11F776100118FFEF129F94DC88EAA7F6CEB08350F448022BA199A1A1D771AD55DBA4

Function 003F51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 003F5218
GetDeviceCaps.GDI32(00000000,00000058), ref: 003F5229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 003F5230
ReleaseDC.USER32(00000000,00000000), ref: 003F5238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 003F524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 003F5261

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 368d2ce15f6932d4c62659ae2266cb370bf7f4b1b1ef28994f4c6ab80f4ee844
Instruction ID: c2750a4538d0891e3d8c0b5dca0d0fc6571a24e5dba40e254648dfdcd6b53aff
Opcode Fuzzy Hash: 368d2ce15f6932d4c62659ae2266cb370bf7f4b1b1ef28994f4c6ab80f4ee844
Instruction Fuzzy Hash: ED018F75E01718BBEB109BA69C89A5EBFB8EF48751F044165FB04AB281D6709801CFA4

Function 00391BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00391BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00391BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00391C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00391C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00391C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00391C22

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 5fdd7196f9eb403797b32134ec8a0bfe6e98381d783940c7e1850fc388ed7c8c
Instruction ID: b37a96b28466c47c84426aa81635f26d80131514c1138b9937c529a354b81419
Opcode Fuzzy Hash: 5fdd7196f9eb403797b32134ec8a0bfe6e98381d783940c7e1850fc388ed7c8c
Instruction Fuzzy Hash: EA016CB09027597DE3008F5A8C85B56FFA8FF19354F00411B915C47941C7F5A864CBE5

Function 003FEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 003FEB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 003FEB46
GetWindowThreadProcessId.USER32(?,?), ref: 003FEB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 003FEB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 003FEB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 003FEB75

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: b9407e94d2077f25ef0622e3021f8e1230eb0d6a00d3962c8b7291bb2cbe235c
Instruction ID: 401eb449e8d733ab80f8670b7da6aed24e3b57b6583bb9feb9227b7ab48ff8e9
Opcode Fuzzy Hash: b9407e94d2077f25ef0622e3021f8e1230eb0d6a00d3962c8b7291bb2cbe235c
Instruction Fuzzy Hash: F3F05E72340558BBE7315B629C4EEEF3E7CEFCAB11F400168FA01D1191DBA05A02CAB9

Function 003E7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 003E7452
SendMessageW.USER32(?,00001328,00000000,?), ref: 003E7469
GetWindowDC.USER32(?), ref: 003E7475
GetPixel.GDI32(00000000,?,?), ref: 003E7484
ReleaseDC.USER32(?,00000000), ref: 003E7496
GetSysColor.USER32(00000005), ref: 003E74B0

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: d6382332fcad03a92c1982e8c70b35a140fd70b461d16089be7555039b0f3e74
Instruction ID: 5ea38564e25ba59d1b514309d4eb4144b203e137f994a5dd8830a620ea5cb5f3
Opcode Fuzzy Hash: d6382332fcad03a92c1982e8c70b35a140fd70b461d16089be7555039b0f3e74
Instruction Fuzzy Hash: 1F017831600225EFEB225F65DC49BAE7BB5FB04311F910160F916A21E0CB311E52AF54

Function 003F1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 003F187F
UnloadUserProfile.USERENV(?,?), ref: 003F188B
CloseHandle.KERNEL32(?), ref: 003F1894
CloseHandle.KERNEL32(?), ref: 003F189C
GetProcessHeap.KERNEL32(00000000,?), ref: 003F18A5
HeapFree.KERNEL32(00000000), ref: 003F18AC

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 255ed8bbedfd213266772e79f20f7dd7405868abec3ed5196f2ad794e439edf3
Instruction ID: c7b197d4e587cb5e68a30ef02adeb6b1002f6b0757b73cfcfe2bbb01f53255a0
Opcode Fuzzy Hash: 255ed8bbedfd213266772e79f20f7dd7405868abec3ed5196f2ad794e439edf3
Instruction Fuzzy Hash: 94E0E536204501BBDB116FA1ED4D91EBF39FF89B22BA08630F22581074CB329432DF58

Function 0039BBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0039BEB3

Strings

D%F, xrefs: 0039BE9A
D%F, xrefs: 0039BCA2
D%FD%F, xrefs: 0039BCA5
D%F, xrefs: 0039BDED, 0039BD91, 0039BD1B

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%F$D%F$D%F$D%FD%F
API String ID: 1385522511-3292877973
Opcode ID: dba624722c21d9d451e610ce1c71740253f5a5a30ab63a7e2af29e43e4258edb
Instruction ID: b79df821259287bae16ac6845c06c12b955920e218d85ba8d23be2972e4a194e
Opcode Fuzzy Hash: dba624722c21d9d451e610ce1c71740253f5a5a30ab63a7e2af29e43e4258edb
Instruction Fuzzy Hash: 0C917975A0060ADFCF19CF58E2906AAF7F5FF58310B21816AD946AB350E771AD81CF90

Function 00417B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 003B0242: EnterCriticalSection.KERNEL32(0046070C,00461884,?,?,003A198B,00462518,?,?,?,003912F9,00000000), ref: 003B024D
Part of subcall function 003B0242: LeaveCriticalSection.KERNEL32(0046070C,?,003A198B,00462518,?,?,?,003912F9,00000000), ref: 003B028A

Part of subcall function 00399CB3: _wcslen.LIBCMT ref: 00399CBD

Part of subcall function 003B00A3: __onexit.LIBCMT ref: 003B00A9

__Init_thread_footer.LIBCMT ref: 00417BFB

Part of subcall function 003B01F8: EnterCriticalSection.KERNEL32(0046070C,?,?,003A8747,00462514), ref: 003B0202
Part of subcall function 003B01F8: LeaveCriticalSection.KERNEL32(0046070C,?,003A8747,00462514), ref: 003B0235

Strings

Variable must be of type 'Object'., xrefs: 00417C3A
+T>, xrefs: 00417E2E
G, xrefs: 00417C7F
5, xrefs: 00417C78

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +T>$5$G$Variable must be of type 'Object'.
API String ID: 535116098-642478837
Opcode ID: 1aa2f15279a2647e9e7e5737a6cedc76cf76f750a4dcdeae1758469c6193c5d9
Instruction ID: 8aee1e1d1881cccb3076a3d37050904b00b8d2db8cc23e9147cabd70940c3626
Opcode Fuzzy Hash: 1aa2f15279a2647e9e7e5737a6cedc76cf76f750a4dcdeae1758469c6193c5d9
Instruction Fuzzy Hash: 21918E74A04209EFCB15EF54D8919EEB7B2FF44304F10805AF8069B392EB75AE85CB59

Function 003FC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00397620: _wcslen.LIBCMT ref: 00397625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 003FC6EE
_wcslen.LIBCMT ref: 003FC735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 003FC79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 003FC7CA

Strings

0, xrefs: 003FC6AF

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 8fb03aae029c7174ec2f0b358de56a63f8e118c6c65e526d7874c4c4c267e644
Instruction ID: e9880e03621cdc3debccc41022303895571966123042fefe006de3c84a20b480
Opcode Fuzzy Hash: 8fb03aae029c7174ec2f0b358de56a63f8e118c6c65e526d7874c4c4c267e644
Instruction Fuzzy Hash: 855104716A830C9FC716AF28CA84B7B77E8AF45310F082929F695D71E0DB70D808CB56

Function 0041AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0041AEA3

Part of subcall function 00397620: _wcslen.LIBCMT ref: 00397625

GetProcessId.KERNEL32(00000000), ref: 0041AF38
CloseHandle.KERNEL32(00000000), ref: 0041AF67

Strings

<, xrefs: 0041AE6B
@, xrefs: 0041AE72

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: e7b5c1908b89f41ca6cf702fb8026cdfefefd49fe74c3e39ace49399be0ad611
Instruction ID: 172e988a4b1af185078af5b456d29754fda2b12d2472e8c8790c9977cea2c1c3
Opcode Fuzzy Hash: e7b5c1908b89f41ca6cf702fb8026cdfefefd49fe74c3e39ace49399be0ad611
Instruction Fuzzy Hash: 5D716871A00614DFCF15DF64C484A9EBBF0BF08314F04849AE81AAB392C778ED85CB95

Function 003F719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 003F7206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 003F723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 003F724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 003F72CF

Strings

DllGetClassObject, xrefs: 003F7242

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 330d16af66141d8cd3c7986c111d06e6e931f6f1ef7643e687bab9ae830a82c6
Instruction ID: 9c491c5fd8ddd045236663951263a2456426bf3a73c3f0022941e0da28027c75
Opcode Fuzzy Hash: 330d16af66141d8cd3c7986c111d06e6e931f6f1ef7643e687bab9ae830a82c6
Instruction Fuzzy Hash: 49418271604208EFDB16CF54C885BAA7BB9EF44710F1584ADBE059F20AD7B1DD45CBA0

Function 00423D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00423E35
IsMenu.USER32(?), ref: 00423E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00423E92
DrawMenuBar.USER32 ref: 00423EA5

Strings

0, xrefs: 00423D89

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 372ffe8a540089d537b4673c41ca706f131cfda2c9c8d48125d63d22340d7546
Instruction ID: 9539a498bc085a8845fffd461bab2c4a4197c51ba622a638e78f53823c3ec39d
Opcode Fuzzy Hash: 372ffe8a540089d537b4673c41ca706f131cfda2c9c8d48125d63d22340d7546
Instruction Fuzzy Hash: 85418A75A00219EFDB10DF50E880AAABBB5FF48351F45412AE905A7350D338EE49CF95

Function 003F1DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00399CB3: _wcslen.LIBCMT ref: 00399CBD

Part of subcall function 003F3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 003F3CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 003F1E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 003F1E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 003F1EA9

Part of subcall function 00396B57: _wcslen.LIBCMT ref: 00396B6A

Strings

ComboBox, xrefs: 003F1DF0
ListBox, xrefs: 003F1E25

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: bad2343b49c4adfb1d99832741840e20f301b0e5ba18baee2ff5a337fc161515
Instruction ID: c735bb7ad88b50ccf657ff372684793b5a4abafa48c115c9e22bc5996aeca488
Opcode Fuzzy Hash: bad2343b49c4adfb1d99832741840e20f301b0e5ba18baee2ff5a337fc161515
Instruction Fuzzy Hash: 7B21F971A00108BEDF16ABA5EC56DFFB7B8DF55350B14412AF925AB1E1DB34490AC620

Function 00422F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00422F8D
LoadLibraryW.KERNEL32(?), ref: 00422F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00422FA9
DestroyWindow.USER32(?), ref: 00422FB1

Strings

SysAnimate32, xrefs: 00422F68

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: faf107d1fcb6461d783ee6ae7ffa372513daca6457a89b0ab72031221bf8bada
Instruction ID: 409bab1c224b2beb1081684d01a68d2237874c94b3fa766d9940f1f16a8e75af
Opcode Fuzzy Hash: faf107d1fcb6461d783ee6ae7ffa372513daca6457a89b0ab72031221bf8bada
Instruction Fuzzy Hash: 8921D471300215BBEB204F64EE80FBB37B9EF58364F92022AF910D2290D7B5DC41A768

Function 003B4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,003B4D1E,003C28E9,?,003B4CBE,003C28E9,004588B8,0000000C,003B4E15,003C28E9,00000002), ref: 003B4D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 003B4DA0
FreeLibrary.KERNEL32(00000000,?,?,?,003B4D1E,003C28E9,?,003B4CBE,003C28E9,004588B8,0000000C,003B4E15,003C28E9,00000002,00000000), ref: 003B4DC3

Strings

mscoree.dll, xrefs: 003B4D86
CorExitProcess, xrefs: 003B4D98

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 3fd0a6d9ef5a4d6c23a052798f80d7ed79edd8ad9dfd327f4be107496850aed0
Instruction ID: 8ba7f2f339c78bc88711367054c822ae815b3f763fe48669b058408194d840d7
Opcode Fuzzy Hash: 3fd0a6d9ef5a4d6c23a052798f80d7ed79edd8ad9dfd327f4be107496850aed0
Instruction Fuzzy Hash: BDF0A430600208BBDB119F90DC89BEDBBB4EF04756F400169F905A26A1CB305941CA98

Function 00394E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00394EDD,?,00461418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00394E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00394EAE
FreeLibrary.KERNEL32(00000000,?,?,00394EDD,?,00461418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00394EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00394EA8
kernel32.dll, xrefs: 00394E94

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 8245ff855498c23fe99878ba572f280b611ba60863210fd6a924c4ffca05f125
Instruction ID: 02e762da8fa623e4d7e6f23b457a74fafd04cc448a470b1fe1f47405453eb84a
Opcode Fuzzy Hash: 8245ff855498c23fe99878ba572f280b611ba60863210fd6a924c4ffca05f125
Instruction Fuzzy Hash: CDE08635F025229B96321B257C59F6F6554AF81B637460125FC01D2105DB64CD0384E8

Function 00394E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,003D3CDE,?,00461418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00394E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00394E74
FreeLibrary.KERNEL32(00000000,?,?,003D3CDE,?,00461418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00394E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00394E6E
kernel32.dll, xrefs: 00394E5B

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 37838ded33789867cf61b21cd374ec4f449fc45a31d4a45caed73d2f7b6c37e9
Instruction ID: 51b391c3215fdcdcf57b6103e899844bd19ed8aa63703fbaef76483d225e1963
Opcode Fuzzy Hash: 37838ded33789867cf61b21cd374ec4f449fc45a31d4a45caed73d2f7b6c37e9
Instruction Fuzzy Hash: B7D0C232F02A31A74A331B247C09EAF2A18AF85B523860221BC00A2214CF24CD13C9DC

Function 00402947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00402C05
DeleteFileW.KERNEL32(?), ref: 00402C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00402C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00402CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00402CC0

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 5f84acfa478aec3bfc4ab0fe34e8e709798e56b1dd6375f83340c8952c42883d
Instruction ID: fe693a41c2dc9145b6845d4765a3800eb9005400847792e8073e982ed842af1b
Opcode Fuzzy Hash: 5f84acfa478aec3bfc4ab0fe34e8e709798e56b1dd6375f83340c8952c42883d
Instruction Fuzzy Hash: 35B16E71D00119ABDF22DFA4CD89EDEB77DEF09344F1040A6FA09F6281EA749A448F65

Function 0041A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0041A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0041A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0041A468
CloseHandle.KERNEL32(?), ref: 0041A63D

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 132db33c64c40aeb65739a6ae6b75894587d40b50462b3f5203ba4406f51a8c2
Instruction ID: 250efbbfbf86995e2d8b4676342d69365fd795b193292385d1c7c2b3bb362d3a
Opcode Fuzzy Hash: 132db33c64c40aeb65739a6ae6b75894587d40b50462b3f5203ba4406f51a8c2
Instruction Fuzzy Hash: F1A1B271604300AFE721DF24C886F2AB7E1AF84714F54881DF59A9B392D774EC418B96

Function 003CBB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00433700), ref: 003CBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0046121C,000000FF,00000000,0000003F,00000000,?,?), ref: 003CBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00461270,000000FF,?,0000003F,00000000,?), ref: 003CBC36
_free.LIBCMT ref: 003CBB7F

Part of subcall function 003C29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,003CD7D1,00000000,00000000,00000000,00000000,?,003CD7F8,00000000,00000007,00000000,?,003CDBF5,00000000), ref: 003C29DE
Part of subcall function 003C29C8: GetLastError.KERNEL32(00000000,?,003CD7D1,00000000,00000000,00000000,00000000,?,003CD7F8,00000000,00000007,00000000,?,003CDBF5,00000000,00000000), ref: 003C29F0

_free.LIBCMT ref: 003CBD4B

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: c3ec5706deda225b1d7a101f18b621acb5e791102ade40dc51ab926119764d53
Instruction ID: edc1d4ceae3757575553fc29f8b4842cb6b801f2d87930ffe0d2a9e7010c4ee1
Opcode Fuzzy Hash: c3ec5706deda225b1d7a101f18b621acb5e791102ade40dc51ab926119764d53
Instruction Fuzzy Hash: 6C51E571900209AFCB12EFA59C82EAEF7BCEB40310F1542AEE551E71A1EB709E408B55

Function 003FE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 003FDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,003FCF22,?), ref: 003FDDFD

Part of subcall function 003FDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,003FCF22,?), ref: 003FDE16

Part of subcall function 003FE199: GetFileAttributesW.KERNEL32(?,003FCF95), ref: 003FE19A

lstrcmpiW.KERNEL32(?,?), ref: 003FE473
MoveFileW.KERNEL32(?,?), ref: 003FE4AC
_wcslen.LIBCMT ref: 003FE5EB
_wcslen.LIBCMT ref: 003FE603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 003FE650

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: f154cc0d3054b2b8c3025a5c6123c480e065a6c8fbee9d91d2d0e612cf4013f2
Instruction ID: 9434c99d21a13c4ce03dc7ca001d49634a7e6b3312009364b2f0c1b9df006f97
Opcode Fuzzy Hash: f154cc0d3054b2b8c3025a5c6123c480e065a6c8fbee9d91d2d0e612cf4013f2
Instruction Fuzzy Hash: 735182B24083495BC726EB94DC81AEF73DCAF85344F00492EF689D7151EF74A6888B66

Function 0041B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00399CB3: _wcslen.LIBCMT ref: 00399CBD

Part of subcall function 0041C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0041B6AE,?,?), ref: 0041C9B5
Part of subcall function 0041C998: _wcslen.LIBCMT ref: 0041C9F1
Part of subcall function 0041C998: _wcslen.LIBCMT ref: 0041CA68
Part of subcall function 0041C998: _wcslen.LIBCMT ref: 0041CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0041BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0041BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0041BB63
RegCloseKey.ADVAPI32(?,?), ref: 0041BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0041BBB3

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 1c60df5c91e2b717825459de942760704bcd11383c4a2f6c13ab9c24c6c196be
Instruction ID: 25e7029e9c5236c3e2aee8a8fb8394ba50faeb3626be851c7d57fb4f94904526
Opcode Fuzzy Hash: 1c60df5c91e2b717825459de942760704bcd11383c4a2f6c13ab9c24c6c196be
Instruction Fuzzy Hash: 8D61B131208241AFC714DF14C890E6BBBE5FF84348F54859EF4994B6A2CB35ED86CB92

Function 003F8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 003F8BCD
VariantClear.OLEAUT32 ref: 003F8C3E
VariantClear.OLEAUT32 ref: 003F8C9D
VariantClear.OLEAUT32(?), ref: 003F8D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 003F8D3B

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 3a9270406693a040343f97d836b3653563c19f4a940ad8eb9d79a664ba7a7aad
Instruction ID: 950dc40528527812b736842d328039a3b0819f3e0678cdb09c4c150942ad1a84
Opcode Fuzzy Hash: 3a9270406693a040343f97d836b3653563c19f4a940ad8eb9d79a664ba7a7aad
Instruction Fuzzy Hash: BE517BB5A00619EFCB15CF68C884AAAB7F8FF89314B158569FA05DB354E730E911CF90

Function 00408AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00408BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00408BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00408C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00408C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00408C5F

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: ca4b1a386e134ffbf49ffaa936bc08c29ceaff3ed1c4c7308726d9970dfa6cc2
Instruction ID: d7f27efb74eecc179277356431d695417fb028aabed31631852b5cb68d182b34
Opcode Fuzzy Hash: ca4b1a386e134ffbf49ffaa936bc08c29ceaff3ed1c4c7308726d9970dfa6cc2
Instruction Fuzzy Hash: 90513935A002149FDF11DF64C880A6ABBF5FF49314F0880A9E849AB3A2DB35ED51CB94

Function 00418EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00418F40
GetProcAddress.KERNEL32(00000000,?), ref: 00418FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00418FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00419032
FreeLibrary.KERNEL32(00000000), ref: 00419052

Part of subcall function 003AF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00401043,?,7529E610), ref: 003AF6E6
Part of subcall function 003AF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,003EFA64,00000000,00000000,?,?,00401043,?,7529E610,?,003EFA64), ref: 003AF70D

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: e7856d5030f10e1ca913a81b398bd027602d412ca3c5a0a855f8155b2bb310f5
Instruction ID: a5ca988f61c94adb19f656a2191050fb1ac227f47bf5d757b31ba307927f4643
Opcode Fuzzy Hash: e7856d5030f10e1ca913a81b398bd027602d412ca3c5a0a855f8155b2bb310f5
Instruction Fuzzy Hash: EA515935A04205DFCB15DF58C4948AEBBF1FF49314B0580AAE80A9F362DB35ED86CB95

Function 00426B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00426C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00426C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00426C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0040AB79,00000000,00000000), ref: 00426C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00426CC7

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 54e89409e3f09499b4a6348ced253244e6020c7e5e3b6545c68e05623c6331a8
Instruction ID: 772105b73492b8d4bc0a0714392b81ce681ffa752bca8f42bd2fc251dcfbbbec
Opcode Fuzzy Hash: 54e89409e3f09499b4a6348ced253244e6020c7e5e3b6545c68e05623c6331a8
Instruction Fuzzy Hash: 79412A35700124AFD724EF29DC84FAA7FA4EB09350F96026AF855A73E0C775ED41CA48

Function 003C2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 003C20C3
_free.LIBCMT ref: 003C20E3

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 3611002e98e77bb9397e5b0a7064ce6ce04f40c0e7e44123cd274e562f866629
Instruction ID: 94456def39009ce6514d26714ab13a343dd105e90ec5a6910b6d5916b96d5221
Opcode Fuzzy Hash: 3611002e98e77bb9397e5b0a7064ce6ce04f40c0e7e44123cd274e562f866629
Instruction Fuzzy Hash: 2C418072A002149FCB26DFB8C881F5AB7A5EF89714B16456DE615EB392DA31AD01CB80

Function 003A912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 003A9141
ScreenToClient.USER32(00000000,?), ref: 003A915E
GetAsyncKeyState.USER32(00000001), ref: 003A9183
GetAsyncKeyState.USER32(00000002), ref: 003A919D

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: d6f7f28118604c1a43aa3b3509936881b7ee380c972c1cd7f18b15304ea6b229
Instruction ID: 6560c5d8e477a2aa7e1b1520683fcbff5e32451a1640126712db825f67b5126a
Opcode Fuzzy Hash: d6f7f28118604c1a43aa3b3509936881b7ee380c972c1cd7f18b15304ea6b229
Instruction Fuzzy Hash: 5E416031A0866ABBDF169F65C848BEEB774FF06324F20432AE425A72D0C7745950CB55

Function 00403874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 004038CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00403922
TranslateMessage.USER32(?), ref: 0040394B
DispatchMessageW.USER32(?), ref: 00403955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00403966

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 5cd90f6e5d6210339c7dd093cb09b9622e6605cddf349fff294aff88ed2a768c
Instruction ID: e27130af01680282f1d7a143dc273cbf5b5d275b8489e313d682698e26505d94
Opcode Fuzzy Hash: 5cd90f6e5d6210339c7dd093cb09b9622e6605cddf349fff294aff88ed2a768c
Instruction Fuzzy Hash: 1C3198B05043419EEB35DF349949B773FAC9B05305F08457BD452A22E0E3F89685CB5A

Function 0040CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0040C21E,00000000), ref: 0040CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0040CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0040C21E,00000000), ref: 0040CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0040C21E,00000000), ref: 0040CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0040C21E,00000000), ref: 0040CFF2

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: d7be3ed8e7224c742dc28e09d3e3de6cc012392d9c8229db920202ac332f3a63
Instruction ID: 9391690f60c5d32b1f19b50503b134e28ff3bd317ce38ca9080d2678c82d6e2f
Opcode Fuzzy Hash: d7be3ed8e7224c742dc28e09d3e3de6cc012392d9c8229db920202ac332f3a63
Instruction Fuzzy Hash: 08313C71600206EFDB24DFA5C8C49ABBBF9EB14354B10457EF506E2281DB34AE429B69

Function 003F1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 003F1915
PostMessageW.USER32(00000001,00000201,00000001), ref: 003F19C1
Sleep.KERNEL32(00000000,?,?,?), ref: 003F19C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 003F19DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 003F19E2

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 654dcdca6a84b88c36e1a6f707cb19ae7968ccf24b94d791504665ef4e17c910
Instruction ID: c2a808ecd180cea9846d32f57b3777e1ad3a228db794780abcca73a533834c90
Opcode Fuzzy Hash: 654dcdca6a84b88c36e1a6f707cb19ae7968ccf24b94d791504665ef4e17c910
Instruction Fuzzy Hash: 1631AF71A0021DEFDB14CFA8D999AEF3BB5EB04315F104229FA21A72D1C7B09954DBD0

Function 00425706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00425745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0042579D
_wcslen.LIBCMT ref: 004257AF
_wcslen.LIBCMT ref: 004257BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00425816

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 20cc3a338465439693caffc7d839be523f6fe0b1aecc28d2ceaedd70bbeee218
Instruction ID: ddc5281e8ac19ad1d7d1b3632c40db44eae55a0c098a30de0a29adbac4ad8525
Opcode Fuzzy Hash: 20cc3a338465439693caffc7d839be523f6fe0b1aecc28d2ceaedd70bbeee218
Instruction Fuzzy Hash: BA21A775A04628DADB20DF60EC84AEEB7B8FF44324F908217E919DB280D774C985CF59

Function 00410930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00410951
GetForegroundWindow.USER32 ref: 00410968
GetDC.USER32(00000000), ref: 004109A4
GetPixel.GDI32(00000000,?,00000003), ref: 004109B0
ReleaseDC.USER32(00000000,00000003), ref: 004109E8

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: fd16c04f5c61de083da4153026a7622b3574b9e0fe9273a866609d2a64f30c79
Instruction ID: fd0b572feea7fd5954bc55d81b9e5e2c17529a1d566a6475a224ead92d4edfc6
Opcode Fuzzy Hash: fd16c04f5c61de083da4153026a7622b3574b9e0fe9273a866609d2a64f30c79
Instruction Fuzzy Hash: 2921A175600204AFD714EF65D984AAEBBF5EF44700F00803DE84AAB762CB74AC45CB94

Function 003CCDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 003CCDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 003CCDE9

Part of subcall function 003C3820: HeapAlloc.KERNEL32(00000000,?,00461444,?,003AFDF5,?,?,0039A976,00000010,00461440,003913FC,?,003913C6,?,00391129), ref: 003C3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 003CCE0F
_free.LIBCMT ref: 003CCE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 003CCE31

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocFreeHeap_free
String ID:
API String ID: 2278895681-0
Opcode ID: fa1370397a6e137f1cdf63d02ffc135424dc1a5b546a0fa81d9798899f79201d
Instruction ID: bdaa91f490f6cc29199a99d1226bc03e10c56255f9fc0336d06afcee90b03de7
Opcode Fuzzy Hash: fa1370397a6e137f1cdf63d02ffc135424dc1a5b546a0fa81d9798899f79201d
Instruction Fuzzy Hash: 5401D4726116157F632316B66C8CE7F796DEEC7BA2316112DFD09C7201EA619D0283F4

Function 003A9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 003A9693
SelectObject.GDI32(?,00000000), ref: 003A96A2
BeginPath.GDI32(?), ref: 003A96B9
SelectObject.GDI32(?,00000000), ref: 003A96E2

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 44c55ea66c2e73ae168f9acd5df13befa48e1a14ee9d8ddb938402d6c5196b94
Instruction ID: bc8bec3786c81d5b7237a090f6ac5ce7c194c86c18dbb2fa3c834b0f1faea944
Opcode Fuzzy Hash: 44c55ea66c2e73ae168f9acd5df13befa48e1a14ee9d8ddb938402d6c5196b94
Instruction Fuzzy Hash: F02183B0902305EFDB129F64DC597AD3B68FF01325F190226F410A61B0E3B05859CFD9

Function 003F5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 003F5726
_memcmp.LIBVCRUNTIME ref: 003F5744
_memcmp.LIBVCRUNTIME ref: 003F5757
_memcmp.LIBVCRUNTIME ref: 003F576F
_memcmp.LIBVCRUNTIME ref: 003F5787

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 37a5091d8f132e7d23726873375dc7acc417ba93d663cf0cfb458d8d0e1289ba
Instruction ID: 6b69568713c3d622101ef2aaf19828da0c3ef2e9751b088731e90df50ac698cb
Opcode Fuzzy Hash: 37a5091d8f132e7d23726873375dc7acc417ba93d663cf0cfb458d8d0e1289ba
Instruction Fuzzy Hash: 7501F566345A1DBBD20A6511AD82FFB739C9B30398FD00031FF099FA41F720ED1882A4

Function 003C2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,003BF2DE,003C3863,00461444,?,003AFDF5,?,?,0039A976,00000010,00461440,003913FC,?,003913C6), ref: 003C2DFD
_free.LIBCMT ref: 003C2E32
_free.LIBCMT ref: 003C2E59
SetLastError.KERNEL32(00000000,00391129), ref: 003C2E66
SetLastError.KERNEL32(00000000,00391129), ref: 003C2E6F

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 32ff346c090f505adf65854fac7133a53e30f428bb9be1627eaa9f29b72ddedd
Instruction ID: 9c7745c66409717cf28ecee8ae626ba57e96dee402b94f02fa257896f539b94e
Opcode Fuzzy Hash: 32ff346c090f505adf65854fac7133a53e30f428bb9be1627eaa9f29b72ddedd
Instruction Fuzzy Hash: 4501F436245A006BCA2367746C85F2F266DABC13B1B22443CF821F6193EB34CC014320

Function 003F000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,003EFF41,80070057,?,?,?,003F035E), ref: 003F002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,003EFF41,80070057,?,?), ref: 003F0046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,003EFF41,80070057,?,?), ref: 003F0054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,003EFF41,80070057,?), ref: 003F0064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,003EFF41,80070057,?,?), ref: 003F0070

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 5b89e91e20a282df183a4094894a2b8293142e30284c2627bbdd987276ed32ad
Instruction ID: f500ad3cf88df27bf11cfe7baf46379bbecf5891a4a855ac1dd0c2507eaf57e9
Opcode Fuzzy Hash: 5b89e91e20a282df183a4094894a2b8293142e30284c2627bbdd987276ed32ad
Instruction Fuzzy Hash: 94018B72600209BFDB265F68DC84FBE7AADEF44792F148124FA05D2211EB71DD418BA0

Function 003FE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 003FE997
QueryPerformanceFrequency.KERNEL32(?), ref: 003FE9A5
Sleep.KERNEL32(00000000), ref: 003FE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 003FE9B7
Sleep.KERNEL32 ref: 003FE9F3

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 246ef05b21f698b2ff2bd6e4f5b8e208bfca6e00fb0941e06228de2789091a8a
Instruction ID: 32d98759f66fa2b301b55e3cf972d0b6181baf58fe92b2bb15eb7b4ddbab5b3e
Opcode Fuzzy Hash: 246ef05b21f698b2ff2bd6e4f5b8e208bfca6e00fb0941e06228de2789091a8a
Instruction Fuzzy Hash: F4015B31D0162DDBDF119FE4DC896EEBB78BB09700F410556E602B2260CB749555CBA5

Function 003F10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 003F1114
GetLastError.KERNEL32(?,00000000,00000000,?,?,003F0B9B,?,?,?), ref: 003F1120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,003F0B9B,?,?,?), ref: 003F112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,003F0B9B,?,?,?), ref: 003F1136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 003F114D

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 133d49ecffd7764777f3ddd64614b56dfbb7ea337ec79e7b9f208ed28c1b3b69
Instruction ID: 54861049d04a5f4226c16011ee30b349984bdac08b59b566dc5ca9283e16f794
Opcode Fuzzy Hash: 133d49ecffd7764777f3ddd64614b56dfbb7ea337ec79e7b9f208ed28c1b3b69
Instruction Fuzzy Hash: 09018179200205FFDB224FA4EC89E6A3F6EEF85360B510424FA41C3350DB31DC018EA0

Function 003F0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 003F0FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 003F0FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 003F0FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 003F0FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 003F1002

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 8c38ca0dadd2d795e6744ba9dfbd927943e447f6df87fe8247a2aaaef66e2ef2
Instruction ID: eba587385893719f91a6ffba176ced2fa715654650c546c93ba2331305395629
Opcode Fuzzy Hash: 8c38ca0dadd2d795e6744ba9dfbd927943e447f6df87fe8247a2aaaef66e2ef2
Instruction Fuzzy Hash: 7FF06236240305FBD7214FA4EC8EF6A3B6DEF89761F514424FA45D7261CE70DC518A60

Function 003F1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 003F102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 003F1036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 003F1045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 003F104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 003F1062

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 0167e25051808470caef9cdfe73764f3a636ca6c314bf27d3eaf7e7f3b7fc40f
Instruction ID: bc6ddd5332f13eb8caca6c58b6382c9fe2f7c0f69dd192c2bffb45d019955e6b
Opcode Fuzzy Hash: 0167e25051808470caef9cdfe73764f3a636ca6c314bf27d3eaf7e7f3b7fc40f
Instruction Fuzzy Hash: EDF06D35240306FBDB225FA4EC89F6A3BADEF89761F610424FA45D7250CE70D8518AA0

Function 0040030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0040017D,?,004032FC,?,00000001,003D2592,?), ref: 00400324
CloseHandle.KERNEL32(?,?,?,?,0040017D,?,004032FC,?,00000001,003D2592,?), ref: 00400331
CloseHandle.KERNEL32(?,?,?,?,0040017D,?,004032FC,?,00000001,003D2592,?), ref: 0040033E
CloseHandle.KERNEL32(?,?,?,?,0040017D,?,004032FC,?,00000001,003D2592,?), ref: 0040034B
CloseHandle.KERNEL32(?,?,?,?,0040017D,?,004032FC,?,00000001,003D2592,?), ref: 00400358
CloseHandle.KERNEL32(?,?,?,?,0040017D,?,004032FC,?,00000001,003D2592,?), ref: 00400365

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 842bc964da1d18948d04388eed6bb01d12e51cfb117cf66852782f5dc6ee679c
Instruction ID: 029ed2b1988c6ad7b4bdedb90d8cfc71cbbf9a157a3610d5fcdf2cc6882c6886
Opcode Fuzzy Hash: 842bc964da1d18948d04388eed6bb01d12e51cfb117cf66852782f5dc6ee679c
Instruction Fuzzy Hash: 1401EE72800B019FCB31AF66D880903FBF9BF603153148A3FD19262A70C3B4A948CF84

Function 003CD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 003CD752

Part of subcall function 003C29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,003CD7D1,00000000,00000000,00000000,00000000,?,003CD7F8,00000000,00000007,00000000,?,003CDBF5,00000000), ref: 003C29DE
Part of subcall function 003C29C8: GetLastError.KERNEL32(00000000,?,003CD7D1,00000000,00000000,00000000,00000000,?,003CD7F8,00000000,00000007,00000000,?,003CDBF5,00000000,00000000), ref: 003C29F0

_free.LIBCMT ref: 003CD764
_free.LIBCMT ref: 003CD776
_free.LIBCMT ref: 003CD788
_free.LIBCMT ref: 003CD79A

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d4ba0153ee53311ee98aede1debcd5cbc3afef4783131dbb94e17954d866dc38
Instruction ID: 4fd0cd1d438401a8f653e291097ef495abdfe681b3f7014fbb58820829f7df5b
Opcode Fuzzy Hash: d4ba0153ee53311ee98aede1debcd5cbc3afef4783131dbb94e17954d866dc38
Instruction Fuzzy Hash: B2F0EC72544304AB8622FB64F9C5E1A77DDBB45711796082DF049EB502C730FC808764

Function 003F5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 003F5C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 003F5C6F
MessageBeep.USER32(00000000), ref: 003F5C87
KillTimer.USER32(?,0000040A), ref: 003F5CA3
EndDialog.USER32(?,00000001), ref: 003F5CBD

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 655473f609fecb67c0b784f1f449c4402a2b59e5455ad404036a118d13ee722d
Instruction ID: 6046e858e8f8cf464e5b6534d8efde88bc53d6327602dbae63177b2865c86e3e
Opcode Fuzzy Hash: 655473f609fecb67c0b784f1f449c4402a2b59e5455ad404036a118d13ee722d
Instruction Fuzzy Hash: 96018B30600B049BEB315B10DD8EFB977B8BF00B05F400569A743A14E1DBF059458A94

Function 003C22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 003C22BE

Part of subcall function 003C29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,003CD7D1,00000000,00000000,00000000,00000000,?,003CD7F8,00000000,00000007,00000000,?,003CDBF5,00000000), ref: 003C29DE
Part of subcall function 003C29C8: GetLastError.KERNEL32(00000000,?,003CD7D1,00000000,00000000,00000000,00000000,?,003CD7F8,00000000,00000007,00000000,?,003CDBF5,00000000,00000000), ref: 003C29F0

_free.LIBCMT ref: 003C22D0
_free.LIBCMT ref: 003C22E3
_free.LIBCMT ref: 003C22F4
_free.LIBCMT ref: 003C2305

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 0cbbb331e6ceb7ac6a821cf63c9bedec33f5159be7120576e99e77b519dc3e0b
Instruction ID: 652caf194208bac8dcc69ccc9fc3e0dafe21138a4732865066575dad38593d67
Opcode Fuzzy Hash: 0cbbb331e6ceb7ac6a821cf63c9bedec33f5159be7120576e99e77b519dc3e0b
Instruction Fuzzy Hash: 5FF03A708402209F8617BF54BC41E0A3B64B719762705056EF410EA2B2EBB14D21EFAE

Function 003A95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 003A95D4
StrokeAndFillPath.GDI32(?,?,003E71F7,00000000,?,?,?), ref: 003A95F0
SelectObject.GDI32(?,00000000), ref: 003A9603
DeleteObject.GDI32 ref: 003A9616
StrokePath.GDI32(?), ref: 003A9631

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 72ecca48c4e317fedf202e6da1b9dcf832b7d2a5ef414ef1ab88ee56e0feb18e
Instruction ID: 0ea5c5618f97be22324f250c0935560e421083293b29bdb868f5baec0adc1674
Opcode Fuzzy Hash: 72ecca48c4e317fedf202e6da1b9dcf832b7d2a5ef414ef1ab88ee56e0feb18e
Instruction Fuzzy Hash: EFF08170606204DBEB264F54EC5C7683B65EF02332F088234F415650F0D774455ADF69

Function 003C0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 003C10F9
__freea.LIBCMT ref: 003C1117

Part of subcall function 003C1537: _free.LIBCMT ref: 003C154F

Strings

am/pm, xrefs: 003C117A
a/p, xrefs: 003C11DE

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: b877da5aad9b935834c43dd3f40c94ba4d08e4aa7a3f8f28c9ea079d79386008
Instruction ID: 03ea1fcaf95b52543312054fd600ccb8bef68cad64b0589ef46a151af7874393
Opcode Fuzzy Hash: b877da5aad9b935834c43dd3f40c94ba4d08e4aa7a3f8f28c9ea079d79386008
Instruction Fuzzy Hash: 8BD10339900286CADB2B9F68C855FFAB7B4EF07304F29415DE901DBA52D3359D80EB91

Function 004161D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 003B0242: EnterCriticalSection.KERNEL32(0046070C,00461884,?,?,003A198B,00462518,?,?,?,003912F9,00000000), ref: 003B024D
Part of subcall function 003B0242: LeaveCriticalSection.KERNEL32(0046070C,?,003A198B,00462518,?,?,?,003912F9,00000000), ref: 003B028A

Part of subcall function 003B00A3: __onexit.LIBCMT ref: 003B00A9

__Init_thread_footer.LIBCMT ref: 00416238

Part of subcall function 003B01F8: EnterCriticalSection.KERNEL32(0046070C,?,?,003A8747,00462514), ref: 003B0202
Part of subcall function 003B01F8: LeaveCriticalSection.KERNEL32(0046070C,?,003A8747,00462514), ref: 003B0235

Part of subcall function 0040359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 004035E4
Part of subcall function 0040359C: LoadStringW.USER32(00462390,?,00000FFF,?), ref: 0040360A

Strings

x#F, xrefs: 00416353
x#F, xrefs: 0041636F
x#F, xrefs: 0041633A

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#F$x#F$x#F
API String ID: 1072379062-2249226960
Opcode ID: ffd63c76f4caa5cd4c138917d5df10462c06451e04ea25cff6b02792577a4c99
Instruction ID: face0a5ce6fb76a1fe392f6412dd4d9420a15e3a31a451b3203e27b1418f0806
Opcode Fuzzy Hash: ffd63c76f4caa5cd4c138917d5df10462c06451e04ea25cff6b02792577a4c99
Instruction Fuzzy Hash: 7AC18C71A00109AFCB15DF58C890EFEB7B9EF48300F15806AF915AB291DB74ED85CB99

Function 003C5AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JO9, xrefs: 003C5BA8, 003C5C6C

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID:
String ID: JO9
API String ID: 0-2863139526
Opcode ID: 4bd79f24568f3d2dabc8afc34b0dfbffae0d629e7c10e60a8d304eb3a6d271b6
Instruction ID: d4b782bc7e7352ab05824bc6462dcc6e6feffea5f2489609603ef487f9892a60
Opcode Fuzzy Hash: 4bd79f24568f3d2dabc8afc34b0dfbffae0d629e7c10e60a8d304eb3a6d271b6
Instruction Fuzzy Hash: 0251BD75A00A09AFCB229FA4CD45FEEBFB8AF05314F15405DF405EB292D771AD818B61

Function 003C8A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 003C8B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 003C8B7A
__dosmaperr.LIBCMT ref: 003C8B81

Strings

.;, xrefs: 003C8A63

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .;
API String ID: 2434981716-414037994
Opcode ID: ab1d9aaf32bba556d7705adffccef5d097cc8d93b79588bb7487eb01951d5f19
Instruction ID: 7e62e6d46c55541902ce52d75a3dc15b15dfd587643955db94b45f370c901861
Opcode Fuzzy Hash: ab1d9aaf32bba556d7705adffccef5d097cc8d93b79588bb7487eb01951d5f19
Instruction Fuzzy Hash: 8741ACB4604045AFDB269F28CC81FBD7FA5DF85304F2945AEF885CB542DE718E128794

Function 003F2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003FB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,003F21D0,?,?,00000034,00000800,?,00000034), ref: 003FB42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 003F2760

Part of subcall function 003FB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,003F21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 003FB3F8

Part of subcall function 003FB32A: GetWindowThreadProcessId.USER32(?,?), ref: 003FB355
Part of subcall function 003FB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,003F2194,00000034,?,?,00001004,00000000,00000000), ref: 003FB365
Part of subcall function 003FB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,003F2194,00000034,?,?,00001004,00000000,00000000), ref: 003FB37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 003F27CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 003F281A

Strings

@, xrefs: 003F2832

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 1c060ec61b5c96d3021a316c1a5971b2dd89c40b044908e78b471d27342fd72d
Instruction ID: 287339578bada27c4725d376ac86bf5d02e2cec0f1977985857b9b9a4225f8e5
Opcode Fuzzy Hash: 1c060ec61b5c96d3021a316c1a5971b2dd89c40b044908e78b471d27342fd72d
Instruction Fuzzy Hash: 56414E76A0021CAFDB11DFA4CD82AEEBBB8EF09300F004055FA55BB191DB706E45CBA1

Function 003C172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 003C1769
_free.LIBCMT ref: 003C1834
_free.LIBCMT ref: 003C183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 003C1760, 003C1767, 003C1796, 003C17CE

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-517116171
Opcode ID: 0fccca99f88049dca957d4d9426c40e696b5377a2ed66d5f6d6b69d63e113860
Instruction ID: a6458cb1389e15251be4180ab41e1dd99cd0f02b3629ebafccd6b823388b056a
Opcode Fuzzy Hash: 0fccca99f88049dca957d4d9426c40e696b5377a2ed66d5f6d6b69d63e113860
Instruction Fuzzy Hash: FA318575A44318AFDB22DF959C81E9EBBBCEB86310B1541AAE404DB212D6B04E40DB91

Function 003FC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 003FC306
DeleteMenu.USER32(?,00000007,00000000), ref: 003FC34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00461990,00DE5488), ref: 003FC395

Strings

0, xrefs: 003FC2DF

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: f8c057c3a4286164988955b048476b981c6af7ecadda5ee29b2c9bd343f90e1a
Instruction ID: 544da100105a50180a83416b404a3a1ccaad51e959fe193a28d244f8dd63c6e5
Opcode Fuzzy Hash: f8c057c3a4286164988955b048476b981c6af7ecadda5ee29b2c9bd343f90e1a
Instruction Fuzzy Hash: C841D2352443099FD722DF25D984B6ABBE8AF85350F009A1EFAA59B2D1C734E904CB52

Function 00424416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0042CC08,00000000,?,?,?,?), ref: 004244AA
GetWindowLongW.USER32 ref: 004244C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 004244D7

Strings

SysTreeView32, xrefs: 0042447C

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: d7fba67b829b638654342309cd9dc178be87f70bd4a8f0bf999a7507cff6f891
Instruction ID: dbffd88146a4eeff22da12b3bd0608f6b5a4d958be623261294c9edc6c500c00
Opcode Fuzzy Hash: d7fba67b829b638654342309cd9dc178be87f70bd4a8f0bf999a7507cff6f891
Instruction Fuzzy Hash: 4E319E31200615ABDB219E38EC45BEB7BA9EB48324F604326F975A22D0D778EC519B54

Function 003F6E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 003F6EED
VariantCopyInd.OLEAUT32(?,?), ref: 003F6F08
VariantClear.OLEAUT32(?), ref: 003F6F12

Strings

*j?, xrefs: 003F6E8B, 003F6E90, 003F6EF8

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *j?
API String ID: 2173805711-3824137268
Opcode ID: 70393fb8aeda6679b2ca19d92b4b380d148857c1b4f12d1470263dcbd4306f59
Instruction ID: e16dec54635072308224772cc884c0e1836d22de2bcc4c7d6521fd88c45fe4d7
Opcode Fuzzy Hash: 70393fb8aeda6679b2ca19d92b4b380d148857c1b4f12d1470263dcbd4306f59
Instruction Fuzzy Hash: CC317371604359DFCF06AF64E9929BE7779EF45304B1404A8FA024F2A1C7349922DBD4

Function 0041304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0041335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00413077,?,?), ref: 00413378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0041307A
_wcslen.LIBCMT ref: 0041309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00413106

Strings

255.255.255.255, xrefs: 00413095, 0041309A

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 82b2ce54841dc779b943b28e33e90d334cb6882c0af5e388faa32be02497006a
Instruction ID: 73bd39b6b5206a739f759949f5358a71ebd1c69caa904ad3e05e030e46ae7231
Opcode Fuzzy Hash: 82b2ce54841dc779b943b28e33e90d334cb6882c0af5e388faa32be02497006a
Instruction Fuzzy Hash: C831E7356042059FCB20CF28C585EEA7BE0EF18319F24C09AE9158F392D779EE85C765

Function 00424653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00424705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00424713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0042471A

Strings

msctls_updown32, xrefs: 00424684

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: a46d6ad23b71d01b7b3fd7181c12dcebe275f717b1736eeecc3726e632b86393
Instruction ID: 19e48e8900fd736d12427e60d4408e8a0d13a66d587d5458e9c0d6b101a41cf4
Opcode Fuzzy Hash: a46d6ad23b71d01b7b3fd7181c12dcebe275f717b1736eeecc3726e632b86393
Instruction Fuzzy Hash: F32160B5600218AFDB11DF64ECC1DBB37ADEF9A394B44005AFA149B361DB74EC11CA64

Function 003F95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 003F961D

Strings

#notrayicon, xrefs: 003F95B7
#OnAutoItStartRegister, xrefs: 003F95F3
#requireadmin, xrefs: 003F95D9

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 050b510da312e874781b1656072456391aba5dd2af3e8b45bf37f8f9373e7436
Instruction ID: a4ba10211324d25852807f3c151fb88ce8e3e2d69613e5ab2a8601162d9fb7d6
Opcode Fuzzy Hash: 050b510da312e874781b1656072456391aba5dd2af3e8b45bf37f8f9373e7436
Instruction Fuzzy Hash: 1E215B3220412566C733AB24DC02FB773DC9F52314F514027FB49DB481EB65ED45C295

Function 004237B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00423840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00423850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00423876

Strings

Listbox, xrefs: 0042380F

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: a14dc4c46a807ecd7415ef457a6f918c30da1537e3d7d318488a2edac09b5bd0
Instruction ID: 45c29605216b5c3a181acd05eabd5a7e5da980f8d021b0de89497b5b9c78bc7f
Opcode Fuzzy Hash: a14dc4c46a807ecd7415ef457a6f918c30da1537e3d7d318488a2edac09b5bd0
Instruction Fuzzy Hash: 8C21B3727002287BEF219F54DC81FBB377AEF89751F508125F9049B290C679DC528794

Function 004049F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00404A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00404A5C
SetErrorMode.KERNEL32(00000000,?,?,0042CC08), ref: 00404AD0

Strings

%lu, xrefs: 00404A6F

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 540a6b6d0044df2c08810fa4851853fbee9fe7c48eb581143cbb9d7f36db7928
Instruction ID: 4d620428203a100775200aef9de10c172cedfdf72772c952fd68a0abe2c0e9d9
Opcode Fuzzy Hash: 540a6b6d0044df2c08810fa4851853fbee9fe7c48eb581143cbb9d7f36db7928
Instruction Fuzzy Hash: BE316D71A00109AFDB11DF54C885EAA77B8EF44304F1480A9E905DF252D775ED46CF61

Function 004241EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0042424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00424264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00424271

Strings

msctls_trackbar32, xrefs: 00424226

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 989fcc877881a5964882478ad1b69c7dc7b5c436515505466130f3942cdc95e3
Instruction ID: a3492bc47b818cb256c08a28c8293a72b111d5f5f99e6cf02515855a2fffb467
Opcode Fuzzy Hash: 989fcc877881a5964882478ad1b69c7dc7b5c436515505466130f3942cdc95e3
Instruction Fuzzy Hash: 8B11E331340218BEEF215E29DC46FAB3BACEF85B64F110125FA55E61A0D6B5D8219B28

Function 003F2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00396B57: _wcslen.LIBCMT ref: 00396B6A

Part of subcall function 003F2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 003F2DC5
Part of subcall function 003F2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 003F2DD6
Part of subcall function 003F2DA7: GetCurrentThreadId.KERNEL32 ref: 003F2DDD
Part of subcall function 003F2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 003F2DE4

GetFocus.USER32 ref: 003F2F78

Part of subcall function 003F2DEE: GetParent.USER32(00000000), ref: 003F2DF9

GetClassNameW.USER32(?,?,00000100), ref: 003F2FC3
EnumChildWindows.USER32(?,003F303B), ref: 003F2FEB

Strings

%s%d, xrefs: 003F2FFF

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 80dc29c5a412286a35c9c2510fbf7acc203f6f7e7a61a372fb512bc4234ed55d
Instruction ID: bfc34cee744cab05a6ef029a3ad3a624db2a77cd625ac0ca4b88932770c49e2b
Opcode Fuzzy Hash: 80dc29c5a412286a35c9c2510fbf7acc203f6f7e7a61a372fb512bc4234ed55d
Instruction Fuzzy Hash: CD11AF71700209ABCF167F649CD6EFE376AAF84304F044076FA199B292DE70994A8B61

Function 00425882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 004258C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 004258EE
DrawMenuBar.USER32(?), ref: 004258FD

Strings

0, xrefs: 0042588F

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: eb63996e5d2442f54ed2b703959c5552e3979a69a1bce0849ecad015c54678db
Instruction ID: c7b267cebd17d0ce997939f6b6f67e9f07a04ac4664aefc99083d71f967ae0ed
Opcode Fuzzy Hash: eb63996e5d2442f54ed2b703959c5552e3979a69a1bce0849ecad015c54678db
Instruction Fuzzy Hash: B2016571600228EFDB219F51EC44BAFBBB4FF45360F5080A6E849D6151DB348AC5DF25

Function 003ED3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 003ED3BF
FreeLibrary.KERNEL32 ref: 003ED3E5

Strings

GetSystemWow64DirectoryW, xrefs: 003ED3B9
X64, xrefs: 003ED2A8

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: cc79e3a2aa0efef20d38b0c380e55a357072f854c897a35e0fc0002e5b72434b
Instruction ID: c99872c2136f5fec9bfa3b9982e8139556959e71dccd76e951fc8ae9e984e14c
Opcode Fuzzy Hash: cc79e3a2aa0efef20d38b0c380e55a357072f854c897a35e0fc0002e5b72434b
Instruction Fuzzy Hash: A3F05C25A019708BD33342124C9496D3318AF10701BA68B26E903E1684D724CD408A9A

Function 003F007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c18d4d4c9e0b59dd3a839b04c2456b05441277e24e9261942e9d58dd78253085
Instruction ID: 92812094a891c561488fb0559b082e5a1f3c2321d3058dbacdf915fb90432eca
Opcode Fuzzy Hash: c18d4d4c9e0b59dd3a839b04c2456b05441277e24e9261942e9d58dd78253085
Instruction Fuzzy Hash: 3DC16D75A0020AEFCB19CF98C894ABEB7B5FF48304F118599E505EB252D731ED41CB90

Function 0041342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00413459
CoUninitialize.OLE32 ref: 00413463
VariantInit.OLEAUT32(?), ref: 0041346E
VariantClear.OLEAUT32(?), ref: 0041371B

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: c05844454f2ba824e0abfc675c96995937fa7c3061aef2c3d96fc07f660d76e6
Instruction ID: 5beb55f85acd3b0f7f0679b3cfb54c78fb10dbaa76011306a9a30cbe43439b12
Opcode Fuzzy Hash: c05844454f2ba824e0abfc675c96995937fa7c3061aef2c3d96fc07f660d76e6
Instruction Fuzzy Hash: C9A18D752083009FCB11DF24C485A6AB7E5FF89714F05885EF98A9B3A2DB34ED41CB56

Function 003F0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0042FC08,?), ref: 003F05F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0042FC08,?), ref: 003F0608
CLSIDFromProgID.OLE32(?,?,00000000,0042CC40,000000FF,?,00000000,00000800,00000000,?,0042FC08,?), ref: 003F062D
_memcmp.LIBVCRUNTIME ref: 003F064E

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 9e365975c947dd8caebfb9d304ed1f5e32e9d3915fb73f47b47c13e72fb27144
Instruction ID: 55ecdded660151f504089e0f671794d132c3d007ba625933e5a2bc7daafd13e7
Opcode Fuzzy Hash: 9e365975c947dd8caebfb9d304ed1f5e32e9d3915fb73f47b47c13e72fb27144
Instruction Fuzzy Hash: 16811A75A00109EFCB05DF98C984EEEB7B9FF89315F204558E606EB251DB71AE06CB60

Function 0041A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0041A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0041A6BA

Part of subcall function 00399CB3: _wcslen.LIBCMT ref: 00399CBD

Process32NextW.KERNEL32(00000000,?), ref: 0041A79C
CloseHandle.KERNEL32(00000000), ref: 0041A7AB

Part of subcall function 003ACE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,003D3303,?), ref: 003ACE8A

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: d946023305b58fb2141270b07fcf6f3ac99e815af6ccebd7160535376a68173c
Instruction ID: 357fc77f46e8478b04c0e9efddc8714f9194e8040ce0d3d074578044ece4ade6
Opcode Fuzzy Hash: d946023305b58fb2141270b07fcf6f3ac99e815af6ccebd7160535376a68173c
Instruction Fuzzy Hash: DD516D71508300AFD711EF25C886A6FBBE8FF89754F40492EF5959B251EB30D904CB96

Function 003D1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 003D14C0

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: a24c85017a6814a5b2eac0c5ab4dacd71e6ac6ef84f627423ba44ece267c7120
Instruction ID: bfca4713d4eadb41b323e8948be5d9cecd48ff967a5c1ce4c597090f6cce9fd3
Opcode Fuzzy Hash: a24c85017a6814a5b2eac0c5ab4dacd71e6ac6ef84f627423ba44ece267c7120
Instruction Fuzzy Hash: 31414B776005007BDB276BBABC46BAE3AB5EF42330F15062BF518DE791E6744C415361

Function 00426278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 004262E2
ScreenToClient.USER32(?,?), ref: 00426315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00426382

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 137549441f94fb621a65113f0c0fcaec8c149ab1f4ac04198031446e9a9b0fe0
Instruction ID: 5dd687b4e62165b254de960c5f311c51ed55e958adb265e83ea5bec7825f47e6
Opcode Fuzzy Hash: 137549441f94fb621a65113f0c0fcaec8c149ab1f4ac04198031446e9a9b0fe0
Instruction Fuzzy Hash: 50512C74A00219EFDF20DF68E8809AE7BB5EF45360F51816AF8159B3A0D774ED41CB94

Function 00411AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00411AFD
WSAGetLastError.WSOCK32 ref: 00411B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00411B8A
WSAGetLastError.WSOCK32 ref: 00411B94

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 35aeb3f2dd089d6396badf12fe03af93e2625b1a5a4780f44393fe50a2fd58ab
Instruction ID: 25531ede40648feeafef76a4b8dbdeb96e79a63b78d0eb6175de5f53e1ac1a13
Opcode Fuzzy Hash: 35aeb3f2dd089d6396badf12fe03af93e2625b1a5a4780f44393fe50a2fd58ab
Instruction Fuzzy Hash: C341D634600200AFEB21AF24C886F6A77E5EB45718F54C459F61A9F3D2D776ED82CB90

Function 003CB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbffc2497fe1d43c21aa1bbb1b2d5b4d2fc7813545c0e1c0288f04fd5a42c327
Instruction ID: 71ed6fc13ac8020039e64c6d382760c927b1c574c61f46caac047dbfe7e1604a
Opcode Fuzzy Hash: cbffc2497fe1d43c21aa1bbb1b2d5b4d2fc7813545c0e1c0288f04fd5a42c327
Instruction Fuzzy Hash: ED41D376A04304BFD72A9F79CC42FAABBA9EB88710F10852EF141DF682D7719D018780

Function 004056D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00405783
GetLastError.KERNEL32(?,00000000), ref: 004057A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 004057CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 004057FA

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 4014acfeb3a1fe14c530cf6c075ec0aeb81a11f5fe535cf67a60436dd56e95c6
Instruction ID: d9d2c89be3b7f100b4974fa75124c6c0264a6cbc4803df1754bc270011b09886
Opcode Fuzzy Hash: 4014acfeb3a1fe14c530cf6c075ec0aeb81a11f5fe535cf67a60436dd56e95c6
Instruction Fuzzy Hash: DA411B39614610DFCB11EF15C544A1EBBE1EF89720B198499E84A6F3A2CB34FD01CB95

Function 003CD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,003B6D71,00000000,00000000,003B82D9,?,003B82D9,?,00000001,003B6D71,?,00000001,003B82D9,003B82D9), ref: 003CD910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 003CD999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 003CD9AB
__freea.LIBCMT ref: 003CD9B4

Part of subcall function 003C3820: HeapAlloc.KERNEL32(00000000,?,00461444,?,003AFDF5,?,?,0039A976,00000010,00461440,003913FC,?,003913C6,?,00391129), ref: 003C3852

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocHeapStringType__freea
String ID:
API String ID: 573072132-0
Opcode ID: 168b29b5b4509ae5ba38da6a822ddf7756f5785904d3ef38748e3e3d5adf05e0
Instruction ID: 3e4a16b65cc7522b1b878bb64fd066ac577656ea29868e545fff554df1ecdf01
Opcode Fuzzy Hash: 168b29b5b4509ae5ba38da6a822ddf7756f5785904d3ef38748e3e3d5adf05e0
Instruction Fuzzy Hash: B631AD72A0020AABDB26DF64DC81EAE7BA5EB41710B06427CFC04DA291EB35DD51CB90

Function 004252C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00425352
GetWindowLongW.USER32(?,000000F0), ref: 00425375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00425382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 004253A8

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: b9f34bfc3d0311b9df046b2cd319c0f6702784bc91a6f268eea48de893e2ad03
Instruction ID: a55c3cd4ed9d097515661e88a49c1979cc745977541d5fe7e33b4daeccff8d31
Opcode Fuzzy Hash: b9f34bfc3d0311b9df046b2cd319c0f6702784bc91a6f268eea48de893e2ad03
Instruction Fuzzy Hash: 9B31D430B55A28AFEB30DA14EC45BEA3761AB04390FD86113FE10962E0C7B89D419B4A

Function 003FAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 003FABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 003FAC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 003FAC74
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 003FACC6

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 4f37d761e49a99f5234d1340a6a223da3d78d06ae3079488d57146467cb2f472
Instruction ID: d41af96466948c94af7d11f9019f62804ff447bdcf3bc5104e5feb7df6226b75
Opcode Fuzzy Hash: 4f37d761e49a99f5234d1340a6a223da3d78d06ae3079488d57146467cb2f472
Instruction Fuzzy Hash: 0B3109B0A04B1CAFFF36CB658C14BFE7BA5AB49310F04431AE689D61D1C37589858796

Function 00427674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0042769A
GetWindowRect.USER32(?,?), ref: 00427710
PtInRect.USER32(?,?,00428B89), ref: 00427720
MessageBeep.USER32(00000000), ref: 0042778C

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 1bc52bf8c196e3eb72fde8dd01dcd8377f7abea485fd836fd391c16be84b7196
Instruction ID: 0d0a9ac0c1fc9746fc9362b0c2262d780e672de15879191b6e6ce8935cad4f23
Opcode Fuzzy Hash: 1bc52bf8c196e3eb72fde8dd01dcd8377f7abea485fd836fd391c16be84b7196
Instruction Fuzzy Hash: 9141AD347052259FCB11CF58E884EA9B7F0BF88314F9840AAE8149B361D378B942CF98

Function 004216DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 004216EB

Part of subcall function 003F3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 003F3A57
Part of subcall function 003F3A3D: GetCurrentThreadId.KERNEL32 ref: 003F3A5E
Part of subcall function 003F3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,003F25B3), ref: 003F3A65

GetCaretPos.USER32(?), ref: 004216FF
ClientToScreen.USER32(00000000,?), ref: 0042174C
GetForegroundWindow.USER32 ref: 00421752

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: f44bac481d2c42334449bacbe77de053f0ede1f5a39cbc0e024384ea0e680b1b
Instruction ID: 3f13ebd8892fa4ef7c853410a5576c51846ffab484b4fdada00b6e554009ed10
Opcode Fuzzy Hash: f44bac481d2c42334449bacbe77de053f0ede1f5a39cbc0e024384ea0e680b1b
Instruction Fuzzy Hash: DD314375E00149AFDB11DFA6C8C1CAEB7F9EF88304B50406AE415EB351E7359E45CBA1

Function 00428FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003A9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 003A9BB2

GetCursorPos.USER32(?), ref: 00429001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,003E7711,?,?,?,?,?), ref: 00429016
GetCursorPos.USER32(?), ref: 0042905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,003E7711,?,?,?), ref: 00429094

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 711dea8e69bc9afca542fed3706a9df43becb996c271a5a46caa1b1041950c33
Instruction ID: 9b3a840c6135f01ac2969f4a5b884f265914a8964e1dc1ceb9bdc5ef9c8e7f5a
Opcode Fuzzy Hash: 711dea8e69bc9afca542fed3706a9df43becb996c271a5a46caa1b1041950c33
Instruction Fuzzy Hash: 11219C31700028EFCB268F94D898EEB3BB9FF89350F44416AF9058B261D3399D91DB65

Function 003FD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0042CB68), ref: 003FD2FB
GetLastError.KERNEL32 ref: 003FD30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 003FD319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0042CB68), ref: 003FD376

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 6fa4cfecd66202f5a9c16aab9b323a04bcd2429d92ea980411eb22a5dfe3ec81
Instruction ID: d2699e678ec94f3bd066eb2e7703ef99e583b079f74e329d13b8d5ada4964f08
Opcode Fuzzy Hash: 6fa4cfecd66202f5a9c16aab9b323a04bcd2429d92ea980411eb22a5dfe3ec81
Instruction Fuzzy Hash: DB2102746083059F8711DF28C88487EB7E9EF5A324F600A1EF699C72A1DB31D906CB93

Function 003F1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 003F1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 003F102A
Part of subcall function 003F1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 003F1036
Part of subcall function 003F1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 003F1045
Part of subcall function 003F1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 003F104C
Part of subcall function 003F1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 003F1062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 003F15BE
_memcmp.LIBVCRUNTIME ref: 003F15E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 003F1617
HeapFree.KERNEL32(00000000), ref: 003F161E

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 58a93057434c34beaaef95848d0e33da75bfd56117b6852d782020cc3211b72b
Instruction ID: 97ee268f1a503a44aaa939378d10c45af082e8a1fc2a6c372c21ca08369a1cf7
Opcode Fuzzy Hash: 58a93057434c34beaaef95848d0e33da75bfd56117b6852d782020cc3211b72b
Instruction Fuzzy Hash: 57219A31E40109EFDF11DFA4D945BFEB7B8EF44344F094459E945AB241E731AA05CBA0

Function 00422782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0042280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00422824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00422832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00422840

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: fb2316631a276691e8e7a318e183570909e399d338cc0f8296833e486af7120b
Instruction ID: e50549bf8442e71ccf5f70e19c1a3056dad33a8a43ea25b91616eda9525c4bfa
Opcode Fuzzy Hash: fb2316631a276691e8e7a318e183570909e399d338cc0f8296833e486af7120b
Instruction Fuzzy Hash: 1621F431308520BFD714AB24DD44F6AB795AF85324F548259F4168B6E2CBB9FC82C794

Function 003F78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 003F8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,003F790A,?,000000FF,?,003F8754,00000000,?,0000001C,?,?), ref: 003F8D8C
Part of subcall function 003F8D7D: lstrcpyW.KERNEL32(00000000,?,?,003F790A,?,000000FF,?,003F8754,00000000,?,0000001C,?,?,00000000), ref: 003F8DB2
Part of subcall function 003F8D7D: lstrcmpiW.KERNEL32(00000000,?,003F790A,?,000000FF,?,003F8754,00000000,?,0000001C,?,?), ref: 003F8DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,003F8754,00000000,?,0000001C,?,?,00000000), ref: 003F7923
lstrcpyW.KERNEL32(00000000,?,?,003F8754,00000000,?,0000001C,?,?,00000000), ref: 003F7949
lstrcmpiW.KERNEL32(00000002,cdecl,?,003F8754,00000000,?,0000001C,?,?,00000000), ref: 003F7984

Strings

cdecl, xrefs: 003F797B

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: cbcec33d72b48872643423117a42c6fb2d3cad8890c8077161f60b0e5f1d37ae
Instruction ID: fc1eb1657c3b74f4b094f440125126c751d07a8d58dd23130bf4e8a0d8256117
Opcode Fuzzy Hash: cbcec33d72b48872643423117a42c6fb2d3cad8890c8077161f60b0e5f1d37ae
Instruction Fuzzy Hash: 7A11263A200306AFDB269F34CC45E7B77A9FF85750B50402AFA02CB2A4EF719811C7A5

Function 00427CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00427D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00427D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00427D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0040B7AD,00000000), ref: 00427D6B

Part of subcall function 003A9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 003A9BB2

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 155a3bf8b6e1a6d2ed26e6e03185a227c4c552f11a579d8b51b96b139a0b13d1
Instruction ID: d4d0d7179379212e17e189bc4b61ef040df6e8b6b7d07b6f6a2abcf20981dcd1
Opcode Fuzzy Hash: 155a3bf8b6e1a6d2ed26e6e03185a227c4c552f11a579d8b51b96b139a0b13d1
Instruction Fuzzy Hash: 3E11DF31314625AFCB109F28EC44AAA3BA5AF45360B958736F839DB2F0E7349951CB58

Function 00425660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 004256BB
_wcslen.LIBCMT ref: 004256CD
_wcslen.LIBCMT ref: 004256D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00425816

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 7d3ac0335fd3a6dbe6d44324de7cf61cb496dfcbc8f2022d294e257e5213a900
Instruction ID: da7310976d7e4e7dfc0fef93781fc52a6c82b7c09ed1279a1519a59b66340c0e
Opcode Fuzzy Hash: 7d3ac0335fd3a6dbe6d44324de7cf61cb496dfcbc8f2022d294e257e5213a900
Instruction Fuzzy Hash: C011E17170062896DB20EF61AC85AEF77ACEF10364B904027F915D6181E7B8CA85CB6D

Function 003C1D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d5401579731259d4d7612756da949ffc57465614a59add8dfc27c577c27ad0d
Instruction ID: 48575264e878ea5c8de7bd885d5b03f5189957b2ee0c3aee75a8c06289f1549c
Opcode Fuzzy Hash: 8d5401579731259d4d7612756da949ffc57465614a59add8dfc27c577c27ad0d
Instruction Fuzzy Hash: A6018FB2205A163EF62216786CC5F37661CDF423B8B36032DF522D51D6DB608C1062A0

Function 003F1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 003F1A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 003F1A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 003F1A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 003F1A8A

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 24718f1739062b02c69011b3a7f0f06c581c9c186ab2a896d39872a38559bafe
Instruction ID: e416e5e81a3867089f27568c9072dd732a2879ab476e4de9817d4c5754e76c8f
Opcode Fuzzy Hash: 24718f1739062b02c69011b3a7f0f06c581c9c186ab2a896d39872a38559bafe
Instruction Fuzzy Hash: 5E11393AD01219FFEF11DBA5CD85FADBB78EB08750F2000A1EA00B7290D671AE50DB94

Function 003FE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 003FE1FD
MessageBoxW.USER32(?,?,?,?), ref: 003FE230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 003FE246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 003FE24D

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 973aabee9faf8bb56012fece8b7db9155aa7fb56a601de46fad413933438a4f6
Instruction ID: 38164fba11e1091c2de84126340a63407a985a2c73d53d3db857348e564d4f07
Opcode Fuzzy Hash: 973aabee9faf8bb56012fece8b7db9155aa7fb56a601de46fad413933438a4f6
Instruction Fuzzy Hash: C8112B72A04258BBD7129FA8DC45AAE7FACAB45320F144635F925D33A0F2B0CD0087A5

Function 003BD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,003BCFF9,00000000,00000004,00000000), ref: 003BD218
GetLastError.KERNEL32 ref: 003BD224
__dosmaperr.LIBCMT ref: 003BD22B
ResumeThread.KERNEL32(00000000), ref: 003BD249

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 967aa7d87378b3ac320723da99b066462912bf0f3cedfd96880867a85ca9f45f
Instruction ID: 325aeb27ea3113f96e2f17d759820e418f8c25890816ed33a1d744db97757dd8
Opcode Fuzzy Hash: 967aa7d87378b3ac320723da99b066462912bf0f3cedfd96880867a85ca9f45f
Instruction Fuzzy Hash: B901D6369052087FCB225BA5DC45BEE7A6DDF81338F110629FB259A9D0EB718901C7A0

Function 00429EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 003A9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 003A9BB2

GetClientRect.USER32(?,?), ref: 00429F31
GetCursorPos.USER32(?), ref: 00429F3B
ScreenToClient.USER32(?,?), ref: 00429F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00429F7A

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 6f43fffa89ad89236093f41418879a077f264815854c33c8f1b652d6d1de3a90
Instruction ID: c76ccc39652f5757b4592574bcd19a61423feeb513e3028bbecc57e1e380c400
Opcode Fuzzy Hash: 6f43fffa89ad89236093f41418879a077f264815854c33c8f1b652d6d1de3a90
Instruction Fuzzy Hash: 33118C31A0012AABCB10DF58E9859EE77B8FF05301F800466F811E3150D338BE82CBA9

Function 0039600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0039604C
GetStockObject.GDI32(00000011), ref: 00396060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0039606A

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: e0d9e2429545fef0820d636a81b093dcfda7ce9b09a8db195005ab25d8dbc40d
Instruction ID: 12f0664e05e8d1f95ac28f037a9e1bdfb80b0bf810bd226060857b13e6fa9c92
Opcode Fuzzy Hash: e0d9e2429545fef0820d636a81b093dcfda7ce9b09a8db195005ab25d8dbc40d
Instruction Fuzzy Hash: C011A172506509BFEF224F949C85EEABB6DEF08394F050115FA0452210D7329C60DB90

Function 003B3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 003B3B56

Part of subcall function 003B3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 003B3AD2
Part of subcall function 003B3AA3: ___AdjustPointer.LIBCMT ref: 003B3AED

_UnwindNestedFrames.LIBCMT ref: 003B3B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 003B3B7C
CallCatchBlock.LIBVCRUNTIME ref: 003B3BA4

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: ffabb86eff774b8de6bb1ec81af10593fb52684a03e07af151664efbfdcec204
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 75012932100148BBDF12AE95CC42EEB7B69FF48758F054014FF489A521D732E961EBA0

Function 003C3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,003913C6,00000000,00000000,?,003C301A,003913C6,00000000,00000000,00000000,?,003C328B,00000006,FlsSetValue), ref: 003C30A5
GetLastError.KERNEL32(?,003C301A,003913C6,00000000,00000000,00000000,?,003C328B,00000006,FlsSetValue,00432290,FlsSetValue,00000000,00000364,?,003C2E46), ref: 003C30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,003C301A,003913C6,00000000,00000000,00000000,?,003C328B,00000006,FlsSetValue,00432290,FlsSetValue,00000000), ref: 003C30BF

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 13e5cee986ecb598da827e54de51e10421b6d23cbbe9430d4bfc53148dc7dee4
Instruction ID: 55cf9e6f879e82801eded6fd523bd7e61a07e0f10fd762c7297e5978400891b4
Opcode Fuzzy Hash: 13e5cee986ecb598da827e54de51e10421b6d23cbbe9430d4bfc53148dc7dee4
Instruction Fuzzy Hash: 2201D833741632ABC7324A78AC84F677798AF05761B118638F907D3140D721DD01C7E4

Function 003F7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 003F747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 003F7497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 003F74AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 003F74CA

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: bce74fa08e9a1bea694be1d97a30a5126083957420d93d2d3baa3feb4056eb4d
Instruction ID: 95336266045bf19968bdddbc18faa0e769833171fb4883d15cd5510628b08208
Opcode Fuzzy Hash: bce74fa08e9a1bea694be1d97a30a5126083957420d93d2d3baa3feb4056eb4d
Instruction Fuzzy Hash: 2511EDB0205309ABE3318F15EC08BB6BBFCEB00B00F108169E616D7191D7B0E904CBA0

Function 003FB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,003FACD3,?,00008000), ref: 003FB0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,003FACD3,?,00008000), ref: 003FB0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,003FACD3,?,00008000), ref: 003FB0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,003FACD3,?,00008000), ref: 003FB126

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: ce5fd8d24ef47a4d250664345fea99d3046c48880e94f2fb65b9f915d9688c47
Instruction ID: d624ce99432e68891070c56504f8d6050850244571d1357d3d2812e567f8b0e9
Opcode Fuzzy Hash: ce5fd8d24ef47a4d250664345fea99d3046c48880e94f2fb65b9f915d9688c47
Instruction Fuzzy Hash: 4C118B70D00A2DE7CF11AFE4E9A96FEFB78FF09311F014095DA81B2281CB3086518B55

Function 00427E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00427E33
ScreenToClient.USER32(?,?), ref: 00427E4B
ScreenToClient.USER32(?,?), ref: 00427E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00427E8A

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: ef342ac172416e46bb46e8aac841a6e91ee47d13d6ddcdc8066653516f95a49e
Instruction ID: 513a50daee64434b7bfcf25dc32a8d5446839704cf732d041a61c57a8fce7668
Opcode Fuzzy Hash: ef342ac172416e46bb46e8aac841a6e91ee47d13d6ddcdc8066653516f95a49e
Instruction Fuzzy Hash: 821143B9E0020AAFDB51CF98D8849EEBBF5FF08350F505066E915E2210D735AA55CF94

Function 003F2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 003F2DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 003F2DD6
GetCurrentThreadId.KERNEL32 ref: 003F2DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 003F2DE4

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: b736a0b1acdc713d1ae3375b91d78e4af8e4e55047d67dbecc3527961fef4418
Instruction ID: 6214bccc02f5a2dff1ec8bfd92d2fc241bea3388e1ebe54e2678494f1ac110fe
Opcode Fuzzy Hash: b736a0b1acdc713d1ae3375b91d78e4af8e4e55047d67dbecc3527961fef4418
Instruction Fuzzy Hash: 97E06D71241628BBE7301B629C4EFFB7E6CEB42BA1F800125B205D1080DAA48842C6B0

Function 00428863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 003A9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 003A9693
Part of subcall function 003A9639: SelectObject.GDI32(?,00000000), ref: 003A96A2
Part of subcall function 003A9639: BeginPath.GDI32(?), ref: 003A96B9
Part of subcall function 003A9639: SelectObject.GDI32(?,00000000), ref: 003A96E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00428887
LineTo.GDI32(?,?,?), ref: 00428894
EndPath.GDI32(?), ref: 004288A4
StrokePath.GDI32(?), ref: 004288B2

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: ed156c7ab17702f03ed8076ab5ed34f68df497370b78f2c48fb40fb94422acb5
Instruction ID: 9a8b7fd679ee75d3128b09de5d2929a054f5870ed5db5f832b9e869f71ab2192
Opcode Fuzzy Hash: ed156c7ab17702f03ed8076ab5ed34f68df497370b78f2c48fb40fb94422acb5
Instruction Fuzzy Hash: F3F05435242554F6EB226F94AC09FDE3F59AF06310F848011FA11651E1C7B55511CFED

Function 003A98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 003A98CC
SetTextColor.GDI32(?,?), ref: 003A98D6
SetBkMode.GDI32(?,00000001), ref: 003A98E9
GetStockObject.GDI32(00000005), ref: 003A98F1

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 7ef547225f3874c74a209f4498bdda902b00337a391f0a7ab2d315ffb3a67273
Instruction ID: 78ff060c1e14d207574352b1b897ce5d88dcf5c8640011c739a16fdba3edfb3e
Opcode Fuzzy Hash: 7ef547225f3874c74a209f4498bdda902b00337a391f0a7ab2d315ffb3a67273
Instruction Fuzzy Hash: 62E06531344690AADB315B75AC49BED3F10EB12336F048329F6F5550E1C77146519F11

Function 003F162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 003F1634
OpenThreadToken.ADVAPI32(00000000,?,?,?,003F11D9), ref: 003F163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,003F11D9), ref: 003F1648
OpenProcessToken.ADVAPI32(00000000,?,?,?,003F11D9), ref: 003F164F

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 55f4106335b3c100a9112c2977feadd5bd4182d9540e344947ae99965ba34c6b
Instruction ID: e5ba32dc7450a4003a0682b30b17d9de70d1e2d54128112ccdbd185c79ca82f1
Opcode Fuzzy Hash: 55f4106335b3c100a9112c2977feadd5bd4182d9540e344947ae99965ba34c6b
Instruction Fuzzy Hash: FEE08631701211DBD7301FE0AD4DB5A7B7CAF447D1F154828F745CA080D6344442C7A8

Function 003ED858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 003ED858
GetDC.USER32(00000000), ref: 003ED862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 003ED882
ReleaseDC.USER32(?), ref: 003ED8A3

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: b4d6c6a6f32cb20f6106fef6774d092af65c0e9907b4a92e76bd89da0864974d
Instruction ID: be752d945ad6449c84c28708fb4771956eacb82a77786433cf02ff7691b9e05d
Opcode Fuzzy Hash: b4d6c6a6f32cb20f6106fef6774d092af65c0e9907b4a92e76bd89da0864974d
Instruction Fuzzy Hash: E3E01AB1900204DFCF529FA0D84866DFBB6FB08710F508029F806E7650C7384902AF84

Function 003ED86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 003ED86C
GetDC.USER32(00000000), ref: 003ED876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 003ED882
ReleaseDC.USER32(?), ref: 003ED8A3

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: f53f4098ca513ac64da9b1e8353df9ff7d3f7b6353ce659414c9effdd40a2825
Instruction ID: f2e24e48ffb2522730f7d41a6c4fa5e5e7498bdaa9cfd9ab7218381983e3a28c
Opcode Fuzzy Hash: f53f4098ca513ac64da9b1e8353df9ff7d3f7b6353ce659414c9effdd40a2825
Instruction Fuzzy Hash: 6DE01A71D00200DFCF619FA0D84866DFBB5FB08710B508018F80AE7250C73859029F84

Function 00404D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00397620: _wcslen.LIBCMT ref: 00397625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00404ED4

Strings

*, xrefs: 00404E10
LPT, xrefs: 00404DFB

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: d1cecd3ab117f060eca71fbbdfc4c3fe7198326302916bed3516eaae57c243f3
Instruction ID: fff0e5d32f6a90a9a98a14174ec4286509e2c2f58a6cbf2b4d317088388e2087
Opcode Fuzzy Hash: d1cecd3ab117f060eca71fbbdfc4c3fe7198326302916bed3516eaae57c243f3
Instruction Fuzzy Hash: AA9184B5A002059FCB15DF54C484EAABBF1FF85304F1580AAE50AAF3A2C735ED85CB95

Function 003BE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 003BE30D

Strings

pow, xrefs: 003BE2E5, 003BE302

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 088110abaf44f3c2c4ee8b2f1f57de8dab3d87f2c781a84643fc4234f3cbcd74
Instruction ID: 48228597ad9a14cf927ac06bc71767d537df09378faccd44739a61169ebe6170
Opcode Fuzzy Hash: 088110abaf44f3c2c4ee8b2f1f57de8dab3d87f2c781a84643fc4234f3cbcd74
Instruction Fuzzy Hash: 8A517062A0C10296C713772CC901BF93BE8DB40744F358D6CE996C66E9DB348C819F86

Function 00417771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(003E569E,00000000,?,0042CC08,?,00000000,00000000), ref: 004178DD

Part of subcall function 00396B57: _wcslen.LIBCMT ref: 00396B6A

CharUpperBuffW.USER32(003E569E,00000000,?,0042CC08,00000000,?,00000000,00000000), ref: 0041783B

Strings

<sE, xrefs: 004177C8

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <sE
API String ID: 3544283678-3499383500
Opcode ID: 0a468cabd5160962970d9667f85eb59b14d0e763ab7c4252bbd30bc65a654f1a
Instruction ID: 4e04bdf7491029217a3669993b1f89085cc84a8c819a1e135b8608364021bd59
Opcode Fuzzy Hash: 0a468cabd5160962970d9667f85eb59b14d0e763ab7c4252bbd30bc65a654f1a
Instruction Fuzzy Hash: 13615076924119ABCF06FBA4CC91DFEB374BF14300B54412AF542AB191EF385A4ACBA4

Function 003AE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 003AE1B1

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: de12e971ac15c5b2dae728c5ae21aac90fc84d81cbf63f199bf243d61a93d569
Instruction ID: 59cda8b8376a11e8f34e96506db9d6bfdc0dd8ed7fdf78950f1cacf8dadb1b30
Opcode Fuzzy Hash: de12e971ac15c5b2dae728c5ae21aac90fc84d81cbf63f199bf243d61a93d569
Instruction Fuzzy Hash: B05164315002A6DFDF27EF29C481AFA7BA8EF66310F254559EC919B2D0D7309D42CBA0

Function 003AF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 003AF2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 003AF2BB

Strings

@, xrefs: 003AF2AF

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: dc7e2d6b8b7ad9a2200320650d1ffa7b5456a79cfbc4990e2e6822dac3c5db2f
Instruction ID: 02f2efd7fe8592f69343b2d4896295ef5e751afa275394c71357730ae409311d
Opcode Fuzzy Hash: dc7e2d6b8b7ad9a2200320650d1ffa7b5456a79cfbc4990e2e6822dac3c5db2f
Instruction Fuzzy Hash: EA5176724187459BE721AF10DC86BAFBBF8FB84304F81885CF2D9411A5EB708569CB66

Function 00415745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 004157E0
_wcslen.LIBCMT ref: 004157EC

Strings

CALLARGARRAY, xrefs: 004157E6, 004157EB

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: b8101d591652438f8a30b8a0a01fcdc8b88a70bf9e4c8ea48d0ae138736caf21
Instruction ID: dedbc01a9e277d2b1f8f8b5415c16a46e63b7681e8919b5aa967ee5535c4d114
Opcode Fuzzy Hash: b8101d591652438f8a30b8a0a01fcdc8b88a70bf9e4c8ea48d0ae138736caf21
Instruction Fuzzy Hash: 36418F31A00209DFCB14EFA9C8829FEBBB5FF99314F10416AE515AB391E7349D81CB94

Function 0040D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0040D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0040D13A

Strings

|, xrefs: 0040D10B

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 8657503f204f2c32bd8b9f273e0ffd5bec146bd0300217b5f28f37a46f58d7af
Instruction ID: 4a08c98b61a42c991307eb521f19c022e7b00087f34d1690341e8ee11c71549d
Opcode Fuzzy Hash: 8657503f204f2c32bd8b9f273e0ffd5bec146bd0300217b5f28f37a46f58d7af
Instruction Fuzzy Hash: AE311A71D01209ABCF16EFA4CD85AEE7FB9FF04340F000029F815AA262DB35AA06DB54

Function 0042356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00423621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0042365C

Strings

static, xrefs: 004235BC

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: d93ef4d5b5807b2f8b6f3fa507d7a6f665d0ba3caa709ac3a77eefc144a2f120
Instruction ID: f084f304b9cd2f4c0ef09cbd110fc0e38fe1da1bfa3346230a05bc56b28590db
Opcode Fuzzy Hash: d93ef4d5b5807b2f8b6f3fa507d7a6f665d0ba3caa709ac3a77eefc144a2f120
Instruction Fuzzy Hash: 6431A171210614AADB20DF24EC80FBB73B9FF48714F50861EF85597280DA39AD81C764

Function 00424537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 0042461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00424634

Strings

', xrefs: 0042458E

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 0c3f8c855da0d22a0cebdc32251f88f52992ae03dc0641827e2cadf6292a171a
Instruction ID: c2051a41e22a4a71b5c6b1fe585f1616f1b3cf329b34ea3b2e29ba1c1e892697
Opcode Fuzzy Hash: 0c3f8c855da0d22a0cebdc32251f88f52992ae03dc0641827e2cadf6292a171a
Instruction Fuzzy Hash: A73138B4B01219AFDF14CFA9D980BDA7BB5FF49300F54406AEA04AB391E774A941CF94

Function 004231EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0042327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00423287

Strings

Combobox, xrefs: 00423249

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: d4270643ac787b32ca96bfe11b8915724f2dce92c1bb635601c7f43612791956
Instruction ID: 5b99fc3abf101f4b849cd46f0b7b1070d6cc1a665b2b166e874b9bd673accb57
Opcode Fuzzy Hash: d4270643ac787b32ca96bfe11b8915724f2dce92c1bb635601c7f43612791956
Instruction Fuzzy Hash: 2B11E671300218BFEF21DF54EC81EBB376AEB54365F50012AF91497390D6399D518774

Function 00423710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0039600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0039604C
Part of subcall function 0039600E: GetStockObject.GDI32(00000011), ref: 00396060
Part of subcall function 0039600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0039606A

GetWindowRect.USER32(00000000,?), ref: 0042377A
GetSysColor.USER32(00000012), ref: 00423794

Strings

static, xrefs: 00423757

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 0bf0effcfeb5077bdfdbfc99dc1a94429a98de9913d533bdb5bfd523abed752e
Instruction ID: 8ce978f18825af89ea00980cd7af0d0c0e0cf6496cc1f8246784fcb5d922dd86
Opcode Fuzzy Hash: 0bf0effcfeb5077bdfdbfc99dc1a94429a98de9913d533bdb5bfd523abed752e
Instruction Fuzzy Hash: 741159B2610219AFDF00DFA8DC46EEE7BB8FB08304F404525F955E3250E778E8619B54

Function 0040CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0040CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0040CDA6

Strings

<local>, xrefs: 0040CD66

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 5c408e7c3f324ec3b4ad7fb32ee8f53031cd3770e964190c4c56930b67b748ad
Instruction ID: 729887591e0c99d0bd9d15627b0acb93a2032f1592c1a36d332ac6a214e22fa2
Opcode Fuzzy Hash: 5c408e7c3f324ec3b4ad7fb32ee8f53031cd3770e964190c4c56930b67b748ad
Instruction Fuzzy Hash: 4E11E371251632BAD7344B668CC5EE7BE68EF527A4F404337B109A31C0D2789841D6F8

Function 00423429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 004234AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 004234BA

Strings

edit, xrefs: 0042348F

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 67d343751546dbdf2d58597d3e8222c960c823a48855b2c8008eeaef7f4b31d7
Instruction ID: c34a79c413d684767bf3793027988fcbf4018b5a9691745d308be29a591071aa
Opcode Fuzzy Hash: 67d343751546dbdf2d58597d3e8222c960c823a48855b2c8008eeaef7f4b31d7
Instruction Fuzzy Hash: E211B271200128ABEB116E64EC80ABB3779EB04379F904365F960932D0C77DEC519B58

Function 003F6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00399CB3: _wcslen.LIBCMT ref: 00399CBD

CharUpperBuffW.USER32(?,?,?), ref: 003F6CB6
_wcslen.LIBCMT ref: 003F6CC2

Strings

STOP, xrefs: 003F6CBC, 003F6CC1

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: c0d6292e6297698ce29bf1bcd7758deffd5888a402bbd94a98157ffe935fd643
Instruction ID: 34e2ddaea7107e7f91040d36dca2ca15a04e09397fe1572ffc3f2bdc21bdc1bb
Opcode Fuzzy Hash: c0d6292e6297698ce29bf1bcd7758deffd5888a402bbd94a98157ffe935fd643
Instruction Fuzzy Hash: 9F012632A0092B8BCB229FBDDC829BF33B8EB617107010539FAA297195EB31D800C650

Function 003F1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00399CB3: _wcslen.LIBCMT ref: 00399CBD

Part of subcall function 003F3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 003F3CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 003F1D4C

Strings

ComboBox, xrefs: 003F1CEB
ListBox, xrefs: 003F1D16

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 5a9bcaf9b48d5d45478c09f053048599305d6aa59484d36a8223fe24016582f7
Instruction ID: 322e11477a97d33a26e3c9e4ac9551e03549e5a168c2f2430af22f6aa609e0d4
Opcode Fuzzy Hash: 5a9bcaf9b48d5d45478c09f053048599305d6aa59484d36a8223fe24016582f7
Instruction Fuzzy Hash: CC01D47164121CAB8F1AFFA4DC65EFE73B8EB46350B14061FF9326B2D1EA315908C660

Function 003F1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00399CB3: _wcslen.LIBCMT ref: 00399CBD

Part of subcall function 003F3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 003F3CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 003F1C46

Strings

ComboBox, xrefs: 003F1BE5
ListBox, xrefs: 003F1C10

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 1f186235ff3c713299f7c7a8f53b48b487f08f61ea213a51932da313a6eff6ef
Instruction ID: 8023217fbfe8a7676f2d5445071d5a1bdf6aa0d7ef5f9a46b9eb17a5ed19376c
Opcode Fuzzy Hash: 1f186235ff3c713299f7c7a8f53b48b487f08f61ea213a51932da313a6eff6ef
Instruction Fuzzy Hash: B501A77578110CA6CF16EB94DD65AFF77A89B11340F14001EAA167B282EA249E0CC6B5

Function 003F1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00399CB3: _wcslen.LIBCMT ref: 00399CBD

Part of subcall function 003F3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 003F3CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 003F1CC8

Strings

ComboBox, xrefs: 003F1C69
ListBox, xrefs: 003F1C94

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 41dc1069bd2788755b34ac6cffab122bf0e1a9b0c6fdaf36ea77a8125a5096e6
Instruction ID: e01fe28eba090e615b080a8332f1f1a3666933c7e4ef36df1b760a80aea2d27c
Opcode Fuzzy Hash: 41dc1069bd2788755b34ac6cffab122bf0e1a9b0c6fdaf36ea77a8125a5096e6
Instruction Fuzzy Hash: A301D671B8011CA7CF16EBA5DE11BFE77AC9B11340F54001AB91277282EA219F08C675

Function 003AA4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 003AA529

Part of subcall function 00399CB3: _wcslen.LIBCMT ref: 00399CBD

Strings

,%F, xrefs: 003AA509
3y>, xrefs: 003AA545, 003AA54D, 003AA552

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%F$3y>
API String ID: 2551934079-591530318
Opcode ID: 4a64aa663fda855d8467c7e94dce21720f5ab7bab94fdf4ca5845b8f19b7676a
Instruction ID: 1471c7474d0e76b6c2a3bece42eaf7d36111329a2f81a23a47f15a4ee8737c18
Opcode Fuzzy Hash: 4a64aa663fda855d8467c7e94dce21720f5ab7bab94fdf4ca5845b8f19b7676a
Instruction Fuzzy Hash: BC01D433A40A10ABC916B769A856AAE3358DB07710F50006AF6125F2C2EF549D01C69B

Function 003F1D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00399CB3: _wcslen.LIBCMT ref: 00399CBD

Part of subcall function 003F3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 003F3CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 003F1DD3

Strings

ComboBox, xrefs: 003F1D75
ListBox, xrefs: 003F1DA0

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: caf0bde898760124019b1bd7ceff2527f4828290063dee3b2dd37a86904c2acf
Instruction ID: 594a9c055d1bf5b8ac9cd5895afbbd21af001e522f052df2c35431f638b6fc94
Opcode Fuzzy Hash: caf0bde898760124019b1bd7ceff2527f4828290063dee3b2dd37a86904c2acf
Instruction Fuzzy Hash: A4F02D71B4121DA6CF06F7A8DC51FFF737CAB01340F04091EB922672C2DA60590C8674

Function 003AFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 003B0668

Part of subcall function 003B32A4: RaiseException.KERNEL32(?,?,?,003B068A,?,00461444,?,?,?,?,?,?,003B068A,00391129,00458738,00391129), ref: 003B3304

__CxxThrowException@8.LIBVCRUNTIME ref: 003B0685

Strings

Unknown exception, xrefs: 003B0692

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: a95c58f0a2c8c6fb2195b8a7c7a45358a776ff41e4ad32686193a043e1f5a02e
Instruction ID: 493b2b50600158615c62a174daff114ce85dc460739c9d90ff79b7454673e05f
Opcode Fuzzy Hash: a95c58f0a2c8c6fb2195b8a7c7a45358a776ff41e4ad32686193a043e1f5a02e
Instruction Fuzzy Hash: AAF0223090020C778F0BB6A4DC46DDF776CDE00308BA04432BA14DAC92EF30DA29C680

Function 00428172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00463018,0046305C), ref: 004281BF
CloseHandle.KERNEL32 ref: 004281D1

Strings

\0F, xrefs: 0042818A

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0F
API String ID: 3712363035-3659455632
Opcode ID: 15e63298e579300c88a153294bbea8b587ce9f22860987b36401edc6bf79bee0
Instruction ID: fb52bb4d632d5bb072d43739679f202484e27673a09054746c4030519d34dbe8
Opcode Fuzzy Hash: 15e63298e579300c88a153294bbea8b587ce9f22860987b36401edc6bf79bee0
Instruction Fuzzy Hash: B9F054B1640340BAE2206F616C45FB73A5CDB05756F404431FB08D51A6E6B98E1482FD

Function 0041747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00417493
_wcslen.LIBCMT ref: 004174B9

Strings

3, 3, 16, 1, xrefs: 00417483

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 2d513f0e92bc6122b884712e770464755bebe17d3674c81265591d4307471d98
Instruction ID: b88802a4a2b2296bf3b4057853f570d9490b18ca960b68ba48615d67ee04bbfc
Opcode Fuzzy Hash: 2d513f0e92bc6122b884712e770464755bebe17d3674c81265591d4307471d98
Instruction Fuzzy Hash: 28E02B22204220109332127AACC1AFF6699CFC97A0714182BFE81C6367EB988DD1D3AC

Function 003F0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 003F0B23

Strings

Error allocating memory., xrefs: 003F0B1C
AutoIt, xrefs: 003F0B17

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 496d09926bd55852747bc42fc2115fa7164a1491054e72be5e6190dc4e0d8125
Instruction ID: 33acb4f4f8815b8efaaa461ad416626e9f7ec421a1afbd485e8b9362198a3257
Opcode Fuzzy Hash: 496d09926bd55852747bc42fc2115fa7164a1491054e72be5e6190dc4e0d8125
Instruction Fuzzy Hash: C4E0D8313443183AD22636D47C43F9D7A84CF05B55F200427FB48594C38AE5649006ED

Function 003B0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 003AF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,003B0D71,?,?,?,0039100A), ref: 003AF7CE

IsDebuggerPresent.KERNEL32(?,?,?,0039100A), ref: 003B0D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0039100A), ref: 003B0D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 003B0D7F

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 2d182d69315596964fb580bec88f9270fb7ab63c2d21a1e37620ccb292b1244b
Instruction ID: 472839eca7fe0f507525205b03771ac3f76b688fa458119fc87618e7eff1360c
Opcode Fuzzy Hash: 2d182d69315596964fb580bec88f9270fb7ab63c2d21a1e37620ccb292b1244b
Instruction Fuzzy Hash: 94E06D743003118FD3369FB8E4483867BF0AF00744F41897DE486C6AA1DBB5E4898BA1

Function 003AE398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 003AE3D5

Strings

8%F, xrefs: 003AE3CA
0%F, xrefs: 003AE3B5

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%F$8%F
API String ID: 1385522511-3350854467
Opcode ID: 1c60d90d74fcd4408cbecac6391a9068089606b2a3b169d01697bbda2e897a95
Instruction ID: 9b194a1fd7ad5ae8e65ec5499b2dfa7ca4277013dff0ed234a86dcaf22ffb859
Opcode Fuzzy Hash: 1c60d90d74fcd4408cbecac6391a9068089606b2a3b169d01697bbda2e897a95
Instruction Fuzzy Hash: 96E02639400D10FBCE2A971CBA94A8A3355EB06320B900676E2038F5D1BBF42841864F

Function 00403017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0040302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00403044

Strings

aut, xrefs: 00403038

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 552b6a8f13ee4e9047e377e59e1d05b86efaab48bcfda3f0263a9b821f0cc9ed
Instruction ID: 35d6b92ed5f95f74d361c8404e84489159194e238e0ba9198442798e8033e00c
Opcode Fuzzy Hash: 552b6a8f13ee4e9047e377e59e1d05b86efaab48bcfda3f0263a9b821f0cc9ed
Instruction Fuzzy Hash: D1D05B71900314A7DA3097949C4DFCB3A6CDB05751F4001A17655D2091DEB49945CAE4

Function 003ED21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 003ED220

Strings

X64, xrefs: 003ED2A8
%.3d, xrefs: 003ED22B

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: b0169df1b9bf8e3fdfcaf1de384b4a17bcc74b8b66adf960f6c7adfac7bde30f
Instruction ID: 5e535ed5dd2c98827445aa49c4d0c9d16e104bcb309ea5c9ee58d73e72db707c
Opcode Fuzzy Hash: b0169df1b9bf8e3fdfcaf1de384b4a17bcc74b8b66adf960f6c7adfac7bde30f
Instruction Fuzzy Hash: 85D01261C08168E9CB5197E1DC459B9B37CFB09341F608962FE17A1881D624C508A761

Function 00422356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0042236C
PostMessageW.USER32(00000000), ref: 00422373

Part of subcall function 003FE97B: Sleep.KERNEL32 ref: 003FE9F3

Strings

Shell_TrayWnd, xrefs: 00422365

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 3973771372966185f1680344100aa3c029c1eeb0fec63ae78d44fe3e43567a0f
Instruction ID: ff1ada79f1c0138a698b78306b16134a3e13da9c0178825387b202d2c51e6d8f
Opcode Fuzzy Hash: 3973771372966185f1680344100aa3c029c1eeb0fec63ae78d44fe3e43567a0f
Instruction Fuzzy Hash: BAD0A932380310BAE274A7309C4FFCA66049B04B00F800A227701AA0E0C9F4A802CA1C

Function 00422322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0042232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0042233F

Part of subcall function 003FE97B: Sleep.KERNEL32 ref: 003FE9F3

Strings

Shell_TrayWnd, xrefs: 00422325

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: a46532521ba17929c3ba22b38d78ae1488bd16aa6b0cefadab41698789ef6111
Instruction ID: 4b9a36330e4a5ad0c7b3df4db8a92e4fc44368666d63b3aaed2f211649db828a
Opcode Fuzzy Hash: a46532521ba17929c3ba22b38d78ae1488bd16aa6b0cefadab41698789ef6111
Instruction Fuzzy Hash: 6BD0A932380310B6E274A7309C4FFCA6A049B00B00F400A227705AA0E0C9F4A802CA18

Function 003CBDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 003CBE93
GetLastError.KERNEL32 ref: 003CBEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 003CBEFC

Memory Dump Source

Source File: 00000000.00000002.2173276333.0000000000391000.00000020.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true

Associated: 00000000.00000002.2173114115.0000000000390000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173442611.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173596403.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173679789.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_390000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 4183a9db85b19cbf5b7e3ec05074954ef7bbf33a09a3648d38c01b98b2214029
Instruction ID: 30a4be71b23a3ec8fcf51e4a575699ae87f77f5fda13e51b93f1d0f19ccea627
Opcode Fuzzy Hash: 4183a9db85b19cbf5b7e3ec05074954ef7bbf33a09a3648d38c01b98b2214029
Instruction Fuzzy Hash: 5141B134600216AFDB229F64DC46FBAFBA9AF41720F16416DF959DB2A1DB318D01CB60

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 151.101.129.91 151.101.129.91
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 34.160.144.191 34.160.144.191

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000E.00000003.2338897959.0000020C67B86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: -l10n-id="newtab-menu-content-tooltip" data-l10n-args="{"title":"Wikipedia"}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.reddit.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="R"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/reddit-com@2x.png)"></div></div></div><div class="title"><span dir="auto">Reddit<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{"title":"Reddit"}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer hide-for-narrow"><div class="top-site-inner"><a class="top-site-button" href="https://twitter.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="T"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/twitter-com@2x.png)"></div></div></div><div class="title"><span dir="auto">Twitter<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{"title":"Twitter"}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer placeholder hide-for-narrow"><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li></ul><div class="edit-topsites-wrapper"></div></div></section></div></div></div></div><style data-styles="[[null]]"></style></div><div class="discovery-stream ds-layout"><div class="ds-column ds-column-12"><div class="ds-column-grid"><div></div></div></div><style data-styles="[[null]]"></style></div></div></main></div></div> equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2311600707.000033BB89C03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 3https://www.facebook.com/Z equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2311600707.000033BB89C03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 3https://www.youtube.com/Z equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2300410795.0000020C6A6C2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2321504272.0000020C6A6C2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2300410795.0000020C6A6AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2323570870.0000020C73C63000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2259930253.0000020C749CF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2260302152.0000020C74891000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2306538864.0000020C74891000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2259930253.0000020C749CF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2259930253.0000020C749A0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2306278280.0000020C749CF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2300410795.0000020C6A6AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2300410795.0000020C6A6C2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2321504272.0000020C6A6C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2323466152.0000020C73C8A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2323924248.0000020C71F86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2323924248.0000020C71F86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2346688658.0000020C6AF5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2259930253.0000020C749CF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2311600707.000033BB89C03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2260302152.0000020C74891000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2311714278.000019F446603000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/Z equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2259930253.0000020C749CF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2311600707.000033BB89C03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2311714278.000019F446603000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2346688658.0000020C6AF5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2346688658.0000020C6AF5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2346688658.0000020C6AF5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2346688658.0000020C6AF5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2346688658.0000020C6AF5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2346688658.0000020C6AF5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2346688658.0000020C6AF5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2346688658.0000020C6AF5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2346688658.0000020C6AF5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2346688658.0000020C6AF5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2346688658.0000020C6AF5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2346688658.0000020C6AF5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2346688658.0000020C6AF5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2346688658.0000020C6AF5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2346688658.0000020C6AF5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2346688658.0000020C6AF5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2346688658.0000020C6AF5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2346688658.0000020C6AF5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2346688658.0000020C6AF5F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3371536927.00000189FAB03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3371433753.0000021FDA10C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2346688658.0000020C6AF5F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3371536927.00000189FAB03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3371433753.0000021FDA10C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2346688658.0000020C6AF5F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3371536927.00000189FAB03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3371433753.0000021FDA10C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2311714278.000019F446603000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/Z equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2339108146.0000020C6646C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2300410795.0000020C6A6C2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2311600707.000033BB89C03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2311600707.000033BB89C03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2311714278.000019F446603000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.comZ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2323466152.0000020C73C8A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2311600707.000033BB89C03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2311714278.000019F446603000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2309605138.0000020C74246000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2311600707.000033BB89C03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2311714278.000019F446603000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.comZ equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:49795 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49794 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.129.91:443 -> 192.168.2.5:49797 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49804 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49806 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49805 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:49807 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49877 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49878 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49949 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49878 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49877 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49878
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49877
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49949
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_89fa439a-470f-47e7-a860-228bb43532e5.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_89fa439a-470f-47e7-a860-228bb43532e5.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre