Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1561921
MD5:	667bf6cd0b76dd2dc3c2e66827a1c44a
SHA1:	9aff90b8016f3a956f018399d0e1b82593bf3e3e
SHA256:	6dfecc3e888281b0fd6cbebcbc35f7ad42de55f1cf9d1b9ab208eeb5d8e11fce
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 5876 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 667BF6CD0B76DD2DC3C2E66827A1C44A)

taskkill.exe (PID: 5040 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 4388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 3704 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 1364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 2632 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 2120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 5176 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 5060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 5588 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 1968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 5016 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 2364 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 2620 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7232 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2224 -prefsLen 25250 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dbbe2a04-7c6c-4cf1-adf6-02c1116bb12a} 2620 "\\.\pipe\gecko-crash-server-pipe.2620" 1c1dca6e910 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7924 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4084 -parentBuildID 20230927232528 -prefsHandle 4020 -prefMapHandle 4016 -prefsLen 26034 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ebb25158-9067-45c3-bf13-1f107f0bed4f} 2620 "\\.\pipe\gecko-crash-server-pipe.2620" 1c1dca7e710 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7624 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5144 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5148 -prefMapHandle 5072 -prefsLen 33076 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {82f16e16-aaa8-4ef6-9529-5cc90aed65e2} 2620 "\\.\pipe\gecko-crash-server-pipe.2620" 1c1f51b9510 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 5876	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 1_2_007BEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

1_2_007BEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_007BED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

1_2_007BED6A

Source: C:\Users\user\Desktop\file.exe

1_2_007BEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_007AAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

1_2_007AAA57

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_007D9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

1_2_007D9576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_faa3ee99-e
Source: file.exe, 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_052d7d8d-e
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_dd6d84ce-3
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_e89c83c9-1

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 19_2_00000171D19FAAF7 NtQuerySystemInformation,		19_2_00000171D19FAAF7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 19_2_00000171D1F786B2 NtQuerySystemInformation,		19_2_00000171D1F786B2

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_007AD5EB: CreateFileW,DeviceIoControl,CloseHandle,

1_2_007AD5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_007A1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

1_2_007A1201

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_007AE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

1_2_007AE8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00748060	1_2_00748060
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007B2046	1_2_007B2046
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007A8298	1_2_007A8298
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0077E4FF	1_2_0077E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0077676B	1_2_0077676B
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007D4873	1_2_007D4873
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0074CAF0	1_2_0074CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0076CAA0	1_2_0076CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0075CC39	1_2_0075CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00776DD9	1_2_00776DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0075B119	1_2_0075B119
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007491C0	1_2_007491C0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00761394	1_2_00761394
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0076781B	1_2_0076781B
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0075997D	1_2_0075997D
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00747920	1_2_00747920
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00767A4A	1_2_00767A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00767CA7	1_2_00767CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007CBE44	1_2_007CBE44
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00779EEE	1_2_00779EEE
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 19_2_00000171D19FAAF7	19_2_00000171D19FAAF7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 19_2_00000171D1F786B2	19_2_00000171D1F786B2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 19_2_00000171D1F786F2	19_2_00000171D1F786F2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 19_2_00000171D1F78DDC	19_2_00000171D1F78DDC

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00749CB3 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0075F9F2 appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00760A30 appears 46 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/34@72/12

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_007B37B5 GetLastError,FormatMessageW,

1_2_007B37B5

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007A10BF AdjustTokenPrivileges,CloseHandle,		1_2_007A10BF
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007A16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		1_2_007A16C3

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_007B51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

1_2_007B51CD

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_007AD4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

1_2_007AD4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_007B648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

1_2_007B648E

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_007442A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

1_2_007442A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5060:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4388:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1968:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1364:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2120:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000F.00000003.2420037646.000001C1F8511000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000F.00000003.2420037646.000001C1F8511000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 0000000F.00000003.2420037646.000001C1F8511000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 0000000F.00000003.2420037646.000001C1F8511000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 0000000F.00000003.2444546120.000001C1EE519000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;
Source: firefox.exe, 0000000F.00000003.2420037646.000001C1F8511000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 0000000F.00000003.2420037646.000001C1F8511000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 0000000F.00000003.2420037646.000001C1F8511000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 0000000F.00000003.2420037646.000001C1F8511000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 0000000F.00000003.2420037646.000001C1F8511000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: file.exe

ReversingLabs: Detection: 26%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2224 -prefsLen 25250 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dbbe2a04-7c6c-4cf1-adf6-02c1116bb12a} 2620 "\\.\pipe\gecko-crash-server-pipe.2620" 1c1dca6e910 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4084 -parentBuildID 20230927232528 -prefsHandle 4020 -prefMapHandle 4016 -prefsLen 26034 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ebb25158-9067-45c3-bf13-1f107f0bed4f} 2620 "\\.\pipe\gecko-crash-server-pipe.2620" 1c1dca7e710 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5144 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5148 -prefMapHandle 5072 -prefsLen 33076 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {82f16e16-aaa8-4ef6-9529-5cc90aed65e2} 2620 "\\.\pipe\gecko-crash-server-pipe.2620" 1c1f51b9510 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2224 -prefsLen 25250 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dbbe2a04-7c6c-4cf1-adf6-02c1116bb12a} 2620 "\\.\pipe\gecko-crash-server-pipe.2620" 1c1dca6e910 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4084 -parentBuildID 20230927232528 -prefsHandle 4020 -prefMapHandle 4016 -prefsLen 26034 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ebb25158-9067-45c3-bf13-1f107f0bed4f} 2620 "\\.\pipe\gecko-crash-server-pipe.2620" 1c1dca7e710 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5144 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5148 -prefMapHandle 5072 -prefsLen 33076 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {82f16e16-aaa8-4ef6-9529-5cc90aed65e2} 2620 "\\.\pipe\gecko-crash-server-pipe.2620" 1c1f51b9510 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: webauthn.pdb source: firefox.exe, 0000000F.00000003.2397422626.000001C1F1041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: UxTheme.pdb source: firefox.exe, 0000000F.00000003.2405759117.000001C1F57BC000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: gdi32.pdb source: firefox.exe, 0000000F.00000003.2405759117.000001C1F57BC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2405759117.000001C1F57A1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: firefox.exe, 0000000F.00000003.2410828420.000001C1EECF0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdbGCTL source: firefox.exe, 0000000F.00000003.2412922282.000001C1EC4AE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WLDP.pdb source: firefox.exe, 0000000F.00000003.2389831550.000001C1F75A8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2404860107.000001C1F75A8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: sechost.pdb source: firefox.exe, 0000000F.00000003.2405759117.000001C1F5775000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2405759117.000001C1F577D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: rpcrt4.pdb source: firefox.exe, 0000000F.00000003.2405759117.000001C1F57A1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: bcrypt.pdb source: firefox.exe, 0000000F.00000003.2406566947.000001C1F52D0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdb source: firefox.exe, 0000000F.00000003.2412922282.000001C1EC4AE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdb source: firefox.exe, 0000000F.00000003.2399199711.000001C1EC4AE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdb source: firefox.exe, 0000000F.00000003.2396270955.000001C1EC4A7000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2397567212.000001C1EC4AC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: shell32.pdb` source: firefox.exe, 0000000F.00000003.2405204836.000001C1F5968000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: msvcrt.pdb source: firefox.exe, 0000000F.00000003.2405759117.000001C1F5775000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: firefox.exe, 0000000F.00000003.2410828420.000001C1EECF0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: shlwapi.pdb source: firefox.exe, 0000000F.00000003.2404632841.000001C1F8327000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.15.dr
Source:	Binary string: webauthn.pdbGCTL source: firefox.exe, 0000000F.00000003.2397422626.000001C1F1041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: shcore.pdb source: firefox.exe, 0000000F.00000003.2389831550.000001C1F75A8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2404860107.000001C1F75A8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: firefox.exe, 0000000F.00000003.2410828420.000001C1EECF0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ole32.pdb source: firefox.exe, 0000000F.00000003.2404632841.000001C1F8327000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: shell32.pdb source: firefox.exe, 0000000F.00000003.2405204836.000001C1F5968000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: firefox.exe, 0000000F.00000003.2410828420.000001C1EECF0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: user32.pdb source: firefox.exe, 0000000F.00000003.2405759117.000001C1F57A1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ntmarta.pdb source: firefox.exe, 0000000F.00000003.2405204836.000001C1F5968000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.15.dr
Source:	Binary string: NapiNSP.pdbUGP source: firefox.exe, 0000000F.00000003.2396270955.000001C1EC4A7000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2397567212.000001C1EC4AC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: firefox.exe, 0000000F.00000003.2410828420.000001C1EECF0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: shlwapi.pdb source: firefox.exe, 0000000F.00000003.2389831550.000001C1F75A8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2404860107.000001C1F75A8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: combase.pdb source: firefox.exe, 0000000F.00000003.2405759117.000001C1F57BC000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: firefox.exe, 0000000F.00000003.2407872086.000001C1F005E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdb source: firefox.exe, 0000000F.00000003.2399803285.000001C1F1041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdbUGP source: firefox.exe, 0000000F.00000003.2399199711.000001C1EC4AE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: firefox.exe, 0000000F.00000003.2410828420.000001C1EECF0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb source: firefox.exe, 0000000F.00000003.2404632841.000001C1F8327000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: win32u.pdb source: firefox.exe, 0000000F.00000003.2405759117.000001C1F57A1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdbUGP source: firefox.exe, 0000000F.00000003.2399803285.000001C1F1041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: firefox.pdb source: firefox.exe, 0000000F.00000003.2407872086.000001C1F005E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: imm32.pdb source: firefox.exe, 0000000F.00000003.2405759117.000001C1F57BC000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: crypt32.pdb source: firefox.exe, 0000000F.00000003.2406566947.000001C1F52D0000.00000004.00000800.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_007442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

1_2_007442DE

Source: gmpopenh264.dll.tmp.15.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00760A76 push ecx; ret

1_2_00760A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0075F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		1_2_0075F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007D1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		1_2_007D1C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_1-95908

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 19_2_00000171D19FAAF7 rdtsc

19_2_00000171D19FAAF7

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.7 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007ADBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	1_2_007ADBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0077C2A2 FindFirstFileExW,	1_2_0077C2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007B68EE FindFirstFileW,FindClose,	1_2_007B68EE
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007B698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	1_2_007B698F
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007AD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_007AD076
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007AD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_007AD3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007B9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_007B9642
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007B979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_007B979D
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007B9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	1_2_007B9B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007B5C97 FindFirstFileW,FindNextFileW,FindClose,	1_2_007B5C97

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_007442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

1_2_007442DE

Source: firefox.exe, 00000011.00000002.3464910130.000001ECCA500000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllz
Source: firefox.exe, 00000011.00000002.3464910130.000001ECCA500000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW[
Source: firefox.exe, 00000013.00000002.3457696490.00000171D17BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0
Source: firefox.exe, 00000011.00000002.3458713642.000001ECC9F5A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3464910130.000001ECCA500000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.3463831748.0000027887E00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 00000011.00000002.3464169673.000001ECCA41D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000015.00000002.3458045332.00000278879BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@,
Source: firefox.exe, 00000013.00000002.3463177750.00000171D2060000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW?
Source: firefox.exe, 00000013.00000002.3463177750.00000171D2060000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll`
Source: firefox.exe, 00000013.00000002.3463177750.00000171D2060000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllb
Source: firefox.exe, 00000011.00000002.3464910130.000001ECCA500000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3463177750.00000171D2060000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 19_2_00000171D19FAAF7 rdtsc

19_2_00000171D19FAAF7

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_007BEAA2 BlockInput,

1_2_007BEAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00772622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_00772622

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_007442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

1_2_007442DE

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00764CE8 mov eax, dword ptr fs:[00000030h]

1_2_00764CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_007A0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

1_2_007A0B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00772622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00772622
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0076083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_0076083F
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007609D5 SetUnhandledExceptionFilter,	1_2_007609D5
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00760C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00760C21

Source: C:\Users\user\Desktop\file.exe

1_2_007A1201

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00782BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

1_2_00782BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_007AB226 SendInput,keybd_event,

1_2_007AB226

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_007C22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

1_2_007C22DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

1_2_007A0B62

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_007A1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

1_2_007A1663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00760698 cpuid

1_2_00760698

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_007B8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

1_2_007B8195

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_0079D27A GetUserNameW,

1_2_0079D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_0077B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

1_2_0077B952

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_007442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

1_2_007442DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 5876, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 5876, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007C1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		1_2_007C1204
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007C1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		1_2_007C1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	26%	ReversingLabs	Win32.Trojan.AutoitInject
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
https://youtube.com63	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	high
star-mini.c10r.facebook.com	157.240.196.35	true	false	high
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	high
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	high
twitter.com	104.244.42.129	true	false	high
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	high
services.addons.mozilla.org	151.101.193.91	true	false	high
dyna.wikimedia.org	185.15.58.224	true	false	high
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	high
contile.services.mozilla.com	34.117.188.166	true	false	high
youtube.com	142.250.181.142	true	false	high
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	high
bg.microsoft.map.fastly.net	199.232.214.172	true	false	high
youtube-ui.l.google.com	172.217.19.238	true	false	high
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	high
reddit.map.fastly.net	151.101.129.140	true	false	high
ipv4only.arpa	192.0.0.171	true	false	high
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	high
push.services.mozilla.com	34.107.243.93	true	false	high
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	high
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	high
www.reddit.com	unknown	unknown	false	high
spocs.getpocket.com	unknown	unknown	false	high
content-signature-2.cdn.mozilla.net	unknown	unknown	false	high
support.mozilla.org	unknown	unknown	false	high
firefox.settings.services.mozilla.com	unknown	unknown	false	high
www.youtube.com	unknown	unknown	false	high
www.facebook.com	unknown	unknown	false	high
detectportal.firefox.com	unknown	unknown	false	high
normandy.cdn.mozilla.net	unknown	unknown	false	high
shavar.services.mozilla.com	unknown	unknown	false	high
www.wikipedia.org	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 00000011.00000002.3463863799.000001ECCA320000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3459096737.00000171D1970000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3459960021.0000027887BB0000.00000002.10000000.00040000.00000000.sdmp	false		high
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 00000015.00000002.3460428107.0000027887DC4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://detectportal.firefox.com/	firefox.exe, 0000000F.00000003.2444546120.000001C1EE519000.00000004.00000800.00020000.00000000.sdmp	false		high
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 00000011.00000002.3463863799.000001ECCA320000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3459096737.00000171D1970000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3459960021.0000027887BB0000.00000002.10000000.00040000.00000000.sdmp	false		high
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000F.00000003.2415804860.000001C1EEB8E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2395923150.000001C1EDC9A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.mozilla.com0	gmpopenh264.dll.tmp.15.dr	false		high
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000015.00000002.3460428107.0000027887D8F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://json-schema.org/draft/2019-09/schema.	firefox.exe, 0000000F.00000003.2420344682.000001C1F577D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2434395605.000001C1F5788000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2405759117.000001C1F577D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://youtube.com63	firefox.exe, 0000000F.00000003.2448808138.000001C1EF1D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2409358432.000001C1EF1D1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 00000011.00000002.3463863799.000001ECCA320000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3459096737.00000171D1970000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3459960021.0000027887BB0000.00000002.10000000.00040000.00000000.sdmp	false		high
https://www.leboncoin.fr/	firefox.exe, 0000000F.00000003.2275856076.000001C1EDF67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2405204836.000001C1F5946000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2433843577.000001C1F5949000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2271873729.000001C1F5953000.00000004.00000800.00020000.00000000.sdmp	false		high
https://spocs.getpocket.com/spocs	firefox.exe, 0000000F.00000003.2425106607.000001C1EF68F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2410828420.000001C1EECE5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://shavar.services.mozilla.com	firefox.exe, 0000000F.00000003.2427566464.000001C1EE846000.00000004.00000800.00020000.00000000.sdmp	false		high
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000F.00000003.2241201510.000001C1EC700000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2241560070.000001C1EC90F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2241950382.000001C1EC931000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2242469269.000001C1EC952000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 00000011.00000002.3463863799.000001ECCA320000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3459096737.00000171D1970000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3459960021.0000027887BB0000.00000002.10000000.00040000.00000000.sdmp	false		high
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000F.00000003.2274937024.000001C1EDECA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2274937024.000001C1EDEF1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2410828420.000001C1EECA0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2444583574.000001C1EDEF1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 0000000F.00000003.2420178617.000001C1F83B4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2404632841.000001C1F83B4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 00000011.00000002.3463863799.000001ECCA320000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3459096737.00000171D1970000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3459960021.0000027887BB0000.00000002.10000000.00040000.00000000.sdmp	false		high
https://monitor.firefox.com/breach-details/	firefox.exe, 00000011.00000002.3463863799.000001ECCA320000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3459096737.00000171D1970000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3459960021.0000027887BB0000.00000002.10000000.00040000.00000000.sdmp	false		high
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 00000011.00000002.3463863799.000001ECCA320000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3459096737.00000171D1970000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3459960021.0000027887BB0000.00000002.10000000.00040000.00000000.sdmp	false		high
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000F.00000003.2241201510.000001C1EC700000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2444374864.000001C1EE58F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2241560070.000001C1EC90F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2241950382.000001C1EC931000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2242469269.000001C1EC952000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2358309116.000001C1EE7F9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000F.00000003.2241201510.000001C1EC700000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2241560070.000001C1EC90F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2241950382.000001C1EC931000.00000004.00000800.00020000.00000000.sdmp	false		high
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 00000011.00000002.3463863799.000001ECCA320000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3459096737.00000171D1970000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3459960021.0000027887BB0000.00000002.10000000.00040000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/switching-devices?utm_source=panel-def	firefox.exe, 0000000F.00000003.2277495204.000001C1F5048000.00000004.00000800.00020000.00000000.sdmp	false		high
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 00000011.00000002.3463863799.000001ECCA320000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3459096737.00000171D1970000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3459960021.0000027887BB0000.00000002.10000000.00040000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 00000011.00000002.3463863799.000001ECCA320000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3459096737.00000171D1970000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3459960021.0000027887BB0000.00000002.10000000.00040000.00000000.sdmp	false		high
https://youtube.com/	firefox.exe, 0000000F.00000003.2423045165.000001C1F0584000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2436517188.000001C1F0584000.00000004.00000800.00020000.00000000.sdmp	false		high
https://json-schema.org/draft/2020-12/schema/=	firefox.exe, 0000000F.00000003.2420344682.000001C1F577D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2434395605.000001C1F5788000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2405759117.000001C1F577D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	firefox.exe, 0000000F.00000003.2431301671.000001C1F8362000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 00000011.00000002.3463863799.000001ECCA320000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3459096737.00000171D1970000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3459960021.0000027887BB0000.00000002.10000000.00040000.00000000.sdmp	false		high
https://api.accounts.firefox.com/v1	firefox.exe, 00000011.00000002.3463863799.000001ECCA320000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3459096737.00000171D1970000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3459960021.0000027887BB0000.00000002.10000000.00040000.00000000.sdmp	false		high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	prefs-1.js.15.dr	false		high
https://ok.ru/	firefox.exe, 0000000F.00000003.2274113726.000001C1EEE6E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.amazon.com/	firefox.exe, 0000000F.00000003.2272139631.000001C1F5664000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2271873729.000001C1F5953000.00000004.00000800.00020000.00000000.sdmp	false		high
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 00000011.00000002.3463863799.000001ECCA320000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3459096737.00000171D1970000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3459960021.0000027887BB0000.00000002.10000000.00040000.00000000.sdmp	false		high
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	firefox.exe, 0000000F.00000003.2434917925.000001C1F52D0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2406566947.000001C1F52D0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 00000011.00000002.3463863799.000001ECCA320000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3459096737.00000171D1970000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3459960021.0000027887BB0000.00000002.10000000.00040000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	firefox.exe, 0000000F.00000003.2274495664.000001C1EE1A9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2449687465.000001C1EE1A9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.youtube.com/	firefox.exe, 00000015.00000002.3460428107.0000027887D0C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000F.00000003.2330142823.000001C1EF3D8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2330261345.000001C1EF3D8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 00000011.00000002.3463863799.000001ECCA320000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3459096737.00000171D1970000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3459960021.0000027887BB0000.00000002.10000000.00040000.00000000.sdmp	false		high
https://MD8.mozilla.org/1/m	firefox.exe, 0000000F.00000003.2445776026.000001C1ED3EA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.bbc.co.uk/	firefox.exe, 0000000F.00000003.2405204836.000001C1F5946000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2433843577.000001C1F5949000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2271873729.000001C1F5953000.00000004.00000800.00020000.00000000.sdmp	false		high
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 0000000F.00000003.2404632841.000001C1F8327000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2431301671.000001C1F8362000.00000004.00000800.00020000.00000000.sdmp	false		high
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 00000015.00000002.3460428107.0000027887DC4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://127.0.0.1:	firefox.exe, 00000011.00000002.3463863799.000001ECCA320000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3459096737.00000171D1970000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3459960021.0000027887BB0000.00000002.10000000.00040000.00000000.sdmp	false		high
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000F.00000003.2330142823.000001C1EF3D8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bugzilla.mo	firefox.exe, 0000000F.00000003.2404632841.000001C1F83B4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2449687465.000001C1EE12E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://mitmdetection.services.mozilla.com/	firefox.exe, 00000011.00000002.3463863799.000001ECCA320000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3459096737.00000171D1970000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3459960021.0000027887BB0000.00000002.10000000.00040000.00000000.sdmp	false		high
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 0000000F.00000003.2410828420.000001C1EECA0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://youtube.com/account?=	recovery.jsonlz4.tmp.15.dr	false		high
https://shavar.services.mozilla.com/	firefox.exe, 0000000F.00000003.2412302374.000001C1EE848000.00000004.00000800.00020000.00000000.sdmp	false		high
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	firefox.exe, 0000000F.00000003.2406566947.000001C1F52D0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://spocs.getpocket.com/	firefox.exe, 0000000F.00000003.2425106607.000001C1EF68F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2423788818.000001C1F02D0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2436129863.000001C1F513C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3459959985.00000171D1A12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.3460428107.0000027887D13000.00000004.00000800.00020000.00000000.sdmp	false		high
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 00000011.00000002.3463863799.000001ECCA320000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3459096737.00000171D1970000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3459960021.0000027887BB0000.00000002.10000000.00040000.00000000.sdmp	false		high
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 00000011.00000002.3463863799.000001ECCA320000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3459096737.00000171D1970000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3459960021.0000027887BB0000.00000002.10000000.00040000.00000000.sdmp	false		high
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 00000011.00000002.3463863799.000001ECCA320000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3459096737.00000171D1970000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3459960021.0000027887BB0000.00000002.10000000.00040000.00000000.sdmp	false		high
https://www.iqiyi.com/	firefox.exe, 0000000F.00000003.2274113726.000001C1EEE6E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2405204836.000001C1F5946000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2433843577.000001C1F5949000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2271873729.000001C1F5953000.00000004.00000800.00020000.00000000.sdmp	false		high
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 00000011.00000002.3463863799.000001ECCA320000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3459096737.00000171D1970000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3459960021.0000027887BB0000.00000002.10000000.00040000.00000000.sdmp	false		high
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 00000011.00000002.3463863799.000001ECCA320000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3459096737.00000171D1970000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3459960021.0000027887BB0000.00000002.10000000.00040000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 00000011.00000002.3463863799.000001ECCA320000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3459096737.00000171D1970000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3459960021.0000027887BB0000.00000002.10000000.00040000.00000000.sdmp	false		high
https://youtube.com/account?=https://acF(U	firefox.exe, 00000013.00000002.3458497840.00000171D1950000.00000004.00000020.00020000.00000000.sdmp	false		high
http://a9.com/-/spec/opensearch/1.0/	firefox.exe, 0000000F.00000003.2445060199.000001C1EDE47000.00000004.00000800.00020000.00000000.sdmp	false		high
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 00000011.00000002.3463863799.000001ECCA320000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3459096737.00000171D1970000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3459960021.0000027887BB0000.00000002.10000000.00040000.00000000.sdmp	false		high
https://monitor.firefox.com/user/dashboard	firefox.exe, 00000011.00000002.3463863799.000001ECCA320000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3459096737.00000171D1970000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3459960021.0000027887BB0000.00000002.10000000.00040000.00000000.sdmp	false		high
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 00000011.00000002.3463863799.000001ECCA320000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3459096737.00000171D1970000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3459960021.0000027887BB0000.00000002.10000000.00040000.00000000.sdmp	false		high
https://monitor.firefox.com/about	firefox.exe, 00000011.00000002.3463863799.000001ECCA320000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3459096737.00000171D1970000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3459960021.0000027887BB0000.00000002.10000000.00040000.00000000.sdmp	false		high
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000F.00000003.2373251800.000001C1EE4C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2387224598.000001C1EE756000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2250165105.000001C1ECEF4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2472386213.000001C1ECEBC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2298552045.000001C1EEB4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2353135343.000001C1EAECF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2407695406.000001C1F05F7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2302840024.000001C1F5096000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2410056083.000001C1EEDB2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2398587947.000001C1EEA4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2251034907.000001C1ECEC8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2412803254.000001C1EDC0E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2276698354.000001C1F509A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2420344682.000001C1F57BC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2351501374.000001C1ECEEB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2447571807.000001C1F51DD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2250230607.000001C1EAEDC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2351747183.000001C1F5096000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2275948782.000001C1F509A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2475996258.000001C1ECEF7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2294602480.000001C1EE4BD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://coverage.mozilla.org	firefox.exe, 00000011.00000002.3463863799.000001ECCA320000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3459096737.00000171D1970000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3459960021.0000027887BB0000.00000002.10000000.00040000.00000000.sdmp	false		high
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.15.dr	false		high
https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/f0f51715-7f5e-48de-839	firefox.exe, 0000000F.00000003.2277495204.000001C1F5048000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.zhihu.com/	firefox.exe, 0000000F.00000003.2274113726.000001C1EEE6E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2271873729.000001C1F5953000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	firefox.exe, 0000000F.00000003.2274495664.000001C1EE1A9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2449687465.000001C1EE1A9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	firefox.exe, 0000000F.00000003.2274495664.000001C1EE1A9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2449687465.000001C1EE1A9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://a9.com/-/spec/opensearch/1.1/	firefox.exe, 0000000F.00000003.2445060199.000001C1EDE47000.00000004.00000800.00020000.00000000.sdmp	false		high
https://blocked.cdn.mozilla.net/	firefox.exe, 00000011.00000002.3463863799.000001ECCA320000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3459096737.00000171D1970000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3459960021.0000027887BB0000.00000002.10000000.00040000.00000000.sdmp	false		high
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	firefox.exe, 0000000F.00000003.2406566947.000001C1F52B6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2434917925.000001C1F52B6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://json-schema.org/draft/2019-09/schema	firefox.exe, 0000000F.00000003.2405759117.000001C1F5792000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2420344682.000001C1F5792000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2275856076.000001C1EDF67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2434395605.000001C1F5792000.00000004.00000800.00020000.00000000.sdmp	false		high
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	firefox.exe, 0000000F.00000003.2434917925.000001C1F52D0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2406566947.000001C1F52D0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://profiler.firefox.com	firefox.exe, 00000011.00000002.3463863799.000001ECCA320000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3459096737.00000171D1970000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3459960021.0000027887BB0000.00000002.10000000.00040000.00000000.sdmp	false		high
https://identity.mozilla.com/apps/relay	firefox.exe, 0000000F.00000003.2410056083.000001C1EED75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2426848388.000001C1EED7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 00000011.00000002.3463863799.000001ECCA320000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3459096737.00000171D1970000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3459960021.0000027887BB0000.00000002.10000000.00040000.00000000.sdmp	false		high
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000F.00000003.2418211612.000001C1F4F87000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2422899441.000001C1F4F92000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000F.00000003.2330142823.000001C1EF3D8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2330261345.000001C1EF3D8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 0000000F.00000003.2404632841.000001C1F8327000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2431301671.000001C1F8362000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000F.00000003.2449687465.000001C1EE1A9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3463863799.000001ECCA320000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3459096737.00000171D1970000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3459960021.0000027887BB0000.00000002.10000000.00040000.00000000.sdmp	false		high
https://www.amazon.co.uk/	firefox.exe, 0000000F.00000003.2275856076.000001C1EDF67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2405204836.000001C1F5946000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2433843577.000001C1F5949000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2271873729.000001C1F5953000.00000004.00000800.00020000.00000000.sdmp	false		high
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	firefox.exe, 0000000F.00000003.2389103345.000001C1F858C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://monitor.firefox.com/user/preferences	firefox.exe, 00000011.00000002.3463863799.000001ECCA320000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3459096737.00000171D1970000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3459960021.0000027887BB0000.00000002.10000000.00040000.00000000.sdmp	false		high
https://screenshots.firefox.com/	firefox.exe, 0000000F.00000003.2241950382.000001C1EC931000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/search	firefox.exe, 0000000F.00000003.2241201510.000001C1EC700000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2444374864.000001C1EE58F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2241560070.000001C1EC90F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2241950382.000001C1EC931000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2242469269.000001C1EC952000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2358309116.000001C1EE7F9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://relay.firefox.com/api/v1/	firefox.exe, 00000011.00000002.3463863799.000001ECCA320000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3459096737.00000171D1970000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3459960021.0000027887BB0000.00000002.10000000.00040000.00000000.sdmp	false		high
https://spocs.getpocket.com/userZ	firefox.exe, 00000015.00000002.3460428107.0000027887DF6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://json-schema.org/draft-07/schema#-	firefox.exe, 0000000F.00000003.2420344682.000001C1F577D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2434395605.000001C1F5788000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2405759117.000001C1F577D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	firefox.exe, 00000011.00000002.3463863799.000001ECCA320000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3459096737.00000171D1970000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3459960021.0000027887BB0000.00000002.10000000.00040000.00000000.sdmp	false		high
https://topsites.services.mozilla.com/cid/	firefox.exe, 00000011.00000002.3463863799.000001ECCA320000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3459096737.00000171D1970000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.3459960021.0000027887BB0000.00000002.10000000.00040000.00000000.sdmp	false		high
https://www.wykop.pl/	firefox.exe, 0000000F.00000003.2405204836.000001C1F5941000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2271873729.000001C1F5953000.00000004.00000800.00020000.00000000.sdmp	false		high
https://twitter.com/	firefox.exe, 0000000F.00000003.2272139631.000001C1F5664000.00000004.00000800.00020000.00000000.sdmp	false		high
https://vk.com/	firefox.exe, 0000000F.00000003.2274113726.000001C1EEE6E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://youtube.com/account?=https://acV	firefox.exe, 00000011.00000002.3459198709.000001ECCA090000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.181.142	youtube.com	United States	15169	GOOGLEUS	false
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
151.101.193.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1561921
Start date and time:	2024-11-24 20:00:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	33
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/34@72/12
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 95% Number of executed functions: 40 Number of non-executed functions: 309
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 34.209.229.249, 52.32.237.164, 52.27.142.243, 172.217.17.78, 88.221.134.155, 88.221.134.209, 172.217.17.74, 172.217.17.42, 20.234.120.54, 104.85.16.144
Excluded domains from analysis (whitelisted): ciscobinary.openh264.org, slscr.update.microsoft.com, asf-ris-prod-neu-azsc.northeurope.cloudapp.azure.com, incoming.telemetry.mozilla.org, tse1.mm.bing.net, a17.rackcdn.com.mdc.edgesuite.net, g.bing.com, aus5.mozilla.org, arc.msn.com, a19.dscg10.akamai.net, redirector.gvt1.com, wildcard.weather.microsoft.com.edgekey.net, safebrowsing.googleapis.com, wu-b-net.trafficmanager.net, www.bing.com, client.wns.windows.com, fs.microsoft.com, shavar.prod.mozaws.net, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, e15275.d.akamaiedge.net, ris-prod.trafficmanager.net, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, detectportal.prod.mozaws.net, fe3cr.delivery.mp.microsoft.com, ris.api.iris.microsoft.com, location.services.mozilla.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
14:01:19	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	PureCrypter, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.193.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.160.144.191	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
services.addons.mozilla.org	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	https://og.oomaal.in/	Get hash	malicious	Unknown	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	34.116.198.130
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	PureCrypter, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	34.116.198.130
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	34.116.198.130
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
FASTLYUS	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	Bestellung EB0072813.jar	Get hash	malicious	Caesium Obfuscator, STRRAT	Browse	199.232.192.209
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	PureCrypter, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_2f374eb0-ee54-4736-92c1-c3c4d62f47ba.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7946
Entropy (8bit):	5.175259733869853
Encrypted:	false
SSDEEP:	192:9BMXsuBcbhbVbTbfbRbObtbyEl7n/rjJA6unSrDtTkdxSofG2:9iVcNhnzFSJfr61nSrDhkdxF
MD5:	D7035AE33D0B27F826497089DD034178
SHA1:	255813D1BE31ED3F2919582530B625FE0A3FFBDA
SHA-256:	D142389DE6797EE04D7F825750C4F8A8555BE45E7E727CA4878C72843C6BA932
SHA-512:	FBAA58DFFE5CEE39117764A35ADEC950CC01AF3BB87D7096D681E98FBEEEA15737248C3C00221961F961D75B35882F030D74698ACBE38B503B4137DD02F9FF51
Malicious:	false
Preview:	{"type":"uninstall","id":"2f374eb0-ee54-4736-92c1-c3c4d62f47ba","creationDate":"2024-11-24T20:19:42.121Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"7340e351-fad3-4a0f-b554-971fbfafe8fb","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_2f374eb0-ee54-4736-92c1-c3c4d62f47ba.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7946
Entropy (8bit):	5.175259733869853
Encrypted:	false
SSDEEP:	192:9BMXsuBcbhbVbTbfbRbObtbyEl7n/rjJA6unSrDtTkdxSofG2:9iVcNhnzFSJfr61nSrDhkdxF
MD5:	D7035AE33D0B27F826497089DD034178
SHA1:	255813D1BE31ED3F2919582530B625FE0A3FFBDA
SHA-256:	D142389DE6797EE04D7F825750C4F8A8555BE45E7E727CA4878C72843C6BA932
SHA-512:	FBAA58DFFE5CEE39117764A35ADEC950CC01AF3BB87D7096D681E98FBEEEA15737248C3C00221961F961D75B35882F030D74698ACBE38B503B4137DD02F9FF51
Malicious:	false
Preview:	{"type":"uninstall","id":"2f374eb0-ee54-4736-92c1-c3c4d62f47ba","creationDate":"2024-11-24T20:19:42.121Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"7340e351-fad3-4a0f-b554-971fbfafe8fb","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4419
Entropy (8bit):	4.930547295070085
Encrypted:	false
SSDEEP:	96:gXiNFS+OcPUFEOdwNIOdwBjvYVbsL+A28P:gXiNFS+OcUGOdwiOdwBjkYL+A28P
MD5:	F4E5964E645A0A1686D04B0DC5D3E028
SHA1:	FB74B0B2F0280A11242D74DE6636BFF0C0BE1705
SHA-256:	066CA3000811D6E24920FE774CA2D56755A23620BE63D5544B1B8AB165A18693
SHA-512:	124BD42E37F07F88967F1BA88DAB4923C255A6115F8568C2F71138FBFF8C4B10E242A489CADE4EC317740297D0E7AF0D6BFD73D0D4DF89744935B6F2A170611F
Malicious:	false
Preview:	{"bookmarks-toolbar-default-on":{"slug":"bookmarks-toolbar-default-on","branch":{"slug":"treatment-a","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"enableBookmarksToolbar":"always"},"enabled":true,"featureId":"bookmarks"}]},"active":true,"enrollmentId":"d48f64a8-a4ab-4cdd-a650-4b386e41a201","experimentType":"nimbus","source":"rs-loader","userFacingName":"Bookmarks Toolbar Default On","userFacingDescription":"An experiment that turns the bookmarks toolbar on by default.","lastSeen":"2023-10-05T06:20:35.557Z","featureIds":["bookmarks"],"prefs":[{"name":"browser.toolbars.bookmarks.visibility","branch":"user","featureId":"bookmarks","variable":"enableBookmarksToolbar","originalValue":null}],"isRollout":false},"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4419
Entropy (8bit):	4.930547295070085
Encrypted:	false
SSDEEP:	96:gXiNFS+OcPUFEOdwNIOdwBjvYVbsL+A28P:gXiNFS+OcUGOdwiOdwBjkYL+A28P
MD5:	F4E5964E645A0A1686D04B0DC5D3E028
SHA1:	FB74B0B2F0280A11242D74DE6636BFF0C0BE1705
SHA-256:	066CA3000811D6E24920FE774CA2D56755A23620BE63D5544B1B8AB165A18693
SHA-512:	124BD42E37F07F88967F1BA88DAB4923C255A6115F8568C2F71138FBFF8C4B10E242A489CADE4EC317740297D0E7AF0D6BFD73D0D4DF89744935B6F2A170611F
Malicious:	false
Preview:	{"bookmarks-toolbar-default-on":{"slug":"bookmarks-toolbar-default-on","branch":{"slug":"treatment-a","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"enableBookmarksToolbar":"always"},"enabled":true,"featureId":"bookmarks"}]},"active":true,"enrollmentId":"d48f64a8-a4ab-4cdd-a650-4b386e41a201","experimentType":"nimbus","source":"rs-loader","userFacingName":"Bookmarks Toolbar Default On","userFacingDescription":"An experiment that turns the bookmarks toolbar on by default.","lastSeen":"2023-10-05T06:20:35.557Z","featureIds":["bookmarks"],"prefs":[{"name":"browser.toolbars.bookmarks.visibility","branch":"user","featureId":"bookmarks","variable":"enableBookmarksToolbar","originalValue":null}],"isRollout":false},"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 26944 bytes
Category:	dropped
Size (bytes):	6071
Entropy (8bit):	6.61263436125208
Encrypted:	false
SSDEEP:	96:72YbKsKNU2xWrp327tGmD4wBON6hCY9rI7hlSAJVrfzjZXjkTndS12opTaM:7Tx2x2t0FDJ4NF6ILDfzjtedh6TX
MD5:	FD36D36BC5077FC3D16CD68CC7FFC65A
SHA1:	2111D7339EA8F94FC7F4F8E2964ABDBE6198F90B
SHA-256:	3A65636ABBCBF9BC2447FEA1BCE9BFC0E6DACD10D5721D21D670A537FFF0D545
SHA-512:	074547A0C2D572BA22D27A4EC3A0957C27B72E732D0ED37501C30A9657CAD258584819D3A92215B52638888D9FC0682E871F454B0ECBFC75373CBAE38DA4D656
Malicious:	false
Preview:	mozLz40.@i....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 26944 bytes
Category:	dropped
Size (bytes):	6071
Entropy (8bit):	6.61263436125208
Encrypted:	false
SSDEEP:	96:72YbKsKNU2xWrp327tGmD4wBON6hCY9rI7hlSAJVrfzjZXjkTndS12opTaM:7Tx2x2t0FDJ4NF6ILDfzjtedh6TX
MD5:	FD36D36BC5077FC3D16CD68CC7FFC65A
SHA1:	2111D7339EA8F94FC7F4F8E2964ABDBE6198F90B
SHA-256:	3A65636ABBCBF9BC2447FEA1BCE9BFC0E6DACD10D5721D21D670A537FFF0D545
SHA-512:	074547A0C2D572BA22D27A4EC3A0957C27B72E732D0ED37501C30A9657CAD258584819D3A92215B52638888D9FC0682E871F454B0ECBFC75373CBAE38DA4D656
Malicious:	false
Preview:	mozLz40.@i....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 4
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905141882491872
Encrypted:	false
SSDEEP:	24:DLSvwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:DKwae+QtMImelekKDa5
MD5:	8736A542C5564A922C47B19D9CC5E0F2
SHA1:	CE9D58967DA9B5356D6C1D8A482F9CE74DA9097A
SHA-256:	97CE5D8AFBB0AA610219C4FAC3927E32C91BFFD9FD971AF68C718E7B27E40077
SHA-512:	99777325893DC7A95FD49B2DA18D32D65F97CC7A8E482D78EDC32F63245457FA5A52750800C074D552D20B6A215604161FDC88763D93C76A8703470C3064196B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185052013683835
Encrypted:	false
SSDEEP:	768:AI4wvfCXh496G4C4U1W4z4xuHhvp4N4Tc4Z4S4t24U:AruBv3
MD5:	10E2D85FEF0DB266E519048D63617FA8
SHA1:	EBB307C44EBEFFA271AC58FDDE5C3A1BA52AE7B0
SHA-256:	92143A48F55639B5BD01385D0E4E78EDED4F84401A91C12AC06251EE188CFE0E
SHA-512:	164CBE725B44020AD40D165A1B1C242A7016ED8933AB9502D0D38E6CD99887D9DF49533DE54068AA4E5D8476C7791B52518A8477B8961475B7CB2C3AF54B81B1
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{87ef1fa3-cb84-4bbf-a615-45a1d14b629d}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185052013683835
Encrypted:	false
SSDEEP:	768:AI4wvfCXh496G4C4U1W4z4xuHhvp4N4Tc4Z4S4t24U:AruBv3
MD5:	10E2D85FEF0DB266E519048D63617FA8
SHA1:	EBB307C44EBEFFA271AC58FDDE5C3A1BA52AE7B0
SHA-256:	92143A48F55639B5BD01385D0E4E78EDED4F84401A91C12AC06251EE188CFE0E
SHA-512:	164CBE725B44020AD40D165A1B1C242A7016ED8933AB9502D0D38E6CD99887D9DF49533DE54068AA4E5D8476C7791B52518A8477B8961475B7CB2C3AF54B81B1
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{87ef1fa3-cb84-4bbf-a615-45a1d14b629d}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07318774231531212
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zki:DLhesh7Owd4+ji
MD5:	9BA3A6B115807E55472D7685BA5B04E3
SHA1:	4BF147CD2957BF634304A93C67327E95460A005E
SHA-256:	97F6888242340059EB2C29261D6F74187BF7183238969E113778869B39BBC20B
SHA-512:	346194861FA8D4938AB966DA35CD1FA6BED83920B79086E1018C57E19CBEAD64F9997BC2AD2C1E6233244C148250E5AA340CDDC238CF7A0A2E5F3DB6208B8695
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.035165590963080785
Encrypted:	false
SSDEEP:	3:GtlstF1RPfw13eCvPlstF1RPfw13eCk/lT89//alEl:GtWti1zXWti1zk/J89XuM
MD5:	EE151441C6699F9BE5194A8121E1ABD2
SHA1:	8277F8A371B79E420B68B00BEDD966BA6FE7BB91
SHA-256:	FB71EF57DB57CB2AD696F68ED4DD6C3DA54C373788DC7DE2D8F93436C8CA9640
SHA-512:	A95CDD6137F75E258BEEEDDEDF2B37312B5E12E14322C2845B023C82429B888D5EA644C7FD7D31A181A71F49BC46203A1417F1DFD32AA1B42DD06E8FDD06BA27
Malicious:	false
Preview:	..-.....................b.p...t.A.$;..ppM<....-.....................b.p...t.A.$;..ppM<..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.034817231022640185
Encrypted:	false
SSDEEP:	3:Ol1Y1Bo5ofsreG/YSrV//mwl8XW3R2:K+wHpuw93w
MD5:	5B5D81FFDB304EFF81908253F5C22DE1
SHA1:	BE27EB1C41B0BA8C1A32FEFE482D05A34CE50822
SHA-256:	F210298EA2FD94702081FDC7AD2F0423350F6A31C8807CE56CE8AB995847630A
SHA-512:	C59DC6BE13B589ED4D6E2048421E3CE9E90987FDCC89DDE1BB5680D7E699F443F0B856DC4393E1CCC155ABE32670113DE9A24FA90B607AAF45F9DAA084D6EED2
Malicious:	false
Preview:	7....-...........t.A.$;..Ww.o.t..........t.A.$;..p.b*.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1717), with CRLF line terminators
Category:	dropped
Size (bytes):	14081
Entropy (8bit):	5.468095024450736
Encrypted:	false
SSDEEP:	192:LnTFTRRUYbBp6+LZNMGaXHN6qU4g+zy+/3/7+AZ5RYiNBw8dvSl:3KenFNMYreyCbdwU0
MD5:	72E17B9B4428B4A57330E3880342CAE9
SHA1:	EB28226FCEBE352A51F59D4759930F06E2791EC2
SHA-256:	EEE221C28252ED2C8BB9C03B3AEC5AFE07AE51926BD8061D175E6DF6896F6319
SHA-512:	3DAB5660600A16EA54634BAEF77B70F5D08A479973F0A5A56D37FCCA9D5D8844459FFDDA8DC57C588D5DF324A49D44F36D411E83923174FF80C73FADC0F24807
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "a24b7aae-efcd-4433-83ad-3649b8231e2d");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1732479551);..user_pref("app.update.lastUpdateTime.background-update-timer", 1732479551);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1732479551);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173247

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1717), with CRLF line terminators
Category:	dropped
Size (bytes):	14081
Entropy (8bit):	5.468095024450736
Encrypted:	false
SSDEEP:	192:LnTFTRRUYbBp6+LZNMGaXHN6qU4g+zy+/3/7+AZ5RYiNBw8dvSl:3KenFNMYreyCbdwU0
MD5:	72E17B9B4428B4A57330E3880342CAE9
SHA1:	EB28226FCEBE352A51F59D4759930F06E2791EC2
SHA-256:	EEE221C28252ED2C8BB9C03B3AEC5AFE07AE51926BD8061D175E6DF6896F6319
SHA-512:	3DAB5660600A16EA54634BAEF77B70F5D08A479973F0A5A56D37FCCA9D5D8844459FFDDA8DC57C588D5DF324A49D44F36D411E83923174FF80C73FADC0F24807
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "a24b7aae-efcd-4433-83ad-3649b8231e2d");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1732479551);..user_pref("app.update.lastUpdateTime.background-update-timer", 1732479551);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1732479551);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173247

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	3:lSGBl/l/zl9l/AltllPltlnKollzvulJOlzALRWemFxu7TuRjBFbrl58lcV+wgn8:ltBl/lqN1K4BEJYqWvLue3FMOrMZ0l
MD5:	60C09456D6362C6FBED48C69AA342C3C
SHA1:	58B6E22DAA48C75958B429F662DEC1C011AE74D3
SHA-256:	FE1A432A2CD096B7EEA870D46D07F5197E34B4D10666E6E1C357FAA3F2FE2389
SHA-512:	936DBC887276EF07732783B50EAFE450A8598B0492B8F6C838B337EF3E8A6EA595E7C7A2FA4B3E881887FAAE2D207B953A4C65ED8C964D93118E00D3E03882BD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1576
Entropy (8bit):	6.339588432524893
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSF5ELXnIgYb/pnxQwRlszT5sKL0RU3eHVvwKXTyamhujJmyOOxmOmr:GUpOxmmonR6wU3eNwCTy4JN36Rh5
MD5:	604FED5F86B0EBDB3909E978403ECFB7
SHA1:	698E8BA25B561D2D716290E89BE390F7BD3AAA49
SHA-256:	5FA68901028344BEF0B87882269AD1BECEDA9D2E1F957ADC86A190D8151980C4
SHA-512:	17594991E5894C5FB8041F245C0D9A4BDFB8C863577F7F84FB591D72E4590FDD32CE5C9C2F583060F8866DDB1104A5CCAE9742A39E990BAC34A834F1D6F85EA9
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{5b8c9630-54b4-40f1-a3bc-a6597a6f64a7}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1732479557476,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...46f3a197-db49-410a-81b3-94975c835573","zD..1...Wm..l........j..:....1":{..jUpdate...7,"startTim..P21344...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abfc0b67c202aaf415a5b7a51708a5c3270bb6f2f7664428a48797f00afbef6fc","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...25508,"originA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1576
Entropy (8bit):	6.339588432524893
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSF5ELXnIgYb/pnxQwRlszT5sKL0RU3eHVvwKXTyamhujJmyOOxmOmr:GUpOxmmonR6wU3eNwCTy4JN36Rh5
MD5:	604FED5F86B0EBDB3909E978403ECFB7
SHA1:	698E8BA25B561D2D716290E89BE390F7BD3AAA49
SHA-256:	5FA68901028344BEF0B87882269AD1BECEDA9D2E1F957ADC86A190D8151980C4
SHA-512:	17594991E5894C5FB8041F245C0D9A4BDFB8C863577F7F84FB591D72E4590FDD32CE5C9C2F583060F8866DDB1104A5CCAE9742A39E990BAC34A834F1D6F85EA9
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{5b8c9630-54b4-40f1-a3bc-a6597a6f64a7}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1732479557476,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...46f3a197-db49-410a-81b3-94975c835573","zD..1...Wm..l........j..:....1":{..jUpdate...7,"startTim..P21344...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abfc0b67c202aaf415a5b7a51708a5c3270bb6f2f7664428a48797f00afbef6fc","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...25508,"originA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1576
Entropy (8bit):	6.339588432524893
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSF5ELXnIgYb/pnxQwRlszT5sKL0RU3eHVvwKXTyamhujJmyOOxmOmr:GUpOxmmonR6wU3eNwCTy4JN36Rh5
MD5:	604FED5F86B0EBDB3909E978403ECFB7
SHA1:	698E8BA25B561D2D716290E89BE390F7BD3AAA49
SHA-256:	5FA68901028344BEF0B87882269AD1BECEDA9D2E1F957ADC86A190D8151980C4
SHA-512:	17594991E5894C5FB8041F245C0D9A4BDFB8C863577F7F84FB591D72E4590FDD32CE5C9C2F583060F8866DDB1104A5CCAE9742A39E990BAC34A834F1D6F85EA9
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{5b8c9630-54b4-40f1-a3bc-a6597a6f64a7}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1732479557476,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...46f3a197-db49-410a-81b3-94975c835573","zD..1...Wm..l........j..:....1":{..jUpdate...7,"startTim..P21344...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abfc0b67c202aaf415a5b7a51708a5c3270bb6f2f7664428a48797f00afbef6fc","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...25508,"originA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 4, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.042811512334329
Encrypted:	false
SSDEEP:	24:JBkSldh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jkSWEUo9LXtR+JdkOnohYsl
MD5:	21235938025E2102017AC8C9748948A4
SHA1:	A1EED1C4588724A8396C95FC9923C0A33B360FF8
SHA-256:	E34B06B180E3F73DC8E441650BB7FE694A9D58E927412D6ED40B0852B784824E
SHA-512:	D334B419A2A75179C17D7F53BF65FCC132ADE03B21059F0007ACDBB08284A281D8CE1C1CC598E6A070024D0DAE158E2E9618E121342BE068E87A051FE33D6061
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4411
Entropy (8bit):	5.00960195144075
Encrypted:	false
SSDEEP:	48:YrSAYbfHqUQZpExB1+anOdW6VhOGVpWJzzcsYMsku7f86SLAVL775FtsfAcbyJF4:ycLCTEr5NfJzzcBvbw6Kkvrc2Rn27
MD5:	54186D78D9418D0F460352BAD21A08F7
SHA1:	104221CAE47B11CDD8F17D4E721F4219E28E3906
SHA-256:	D10BFD66DCF6020AAAD4DD42801EE2FE0ECD9D38B675B002F9A7DE618F8DAC7D
SHA-512:	919D0C2C49710F979B771B45EDB1738253E908A8CE282623C52BC36B56DEE2555D415CCF34E536A096CC3BF56A7BBD770D0E2ACE0CAF78E6C2D802554FC63F7E
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-11-24T20:18:56.956Z","profileAgeCreated":1696486829272,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4411
Entropy (8bit):	5.00960195144075
Encrypted:	false
SSDEEP:	48:YrSAYbfHqUQZpExB1+anOdW6VhOGVpWJzzcsYMsku7f86SLAVL775FtsfAcbyJF4:ycLCTEr5NfJzzcBvbw6Kkvrc2Rn27
MD5:	54186D78D9418D0F460352BAD21A08F7
SHA1:	104221CAE47B11CDD8F17D4E721F4219E28E3906
SHA-256:	D10BFD66DCF6020AAAD4DD42801EE2FE0ECD9D38B675B002F9A7DE618F8DAC7D
SHA-512:	919D0C2C49710F979B771B45EDB1738253E908A8CE282623C52BC36B56DEE2555D415CCF34E536A096CC3BF56A7BBD770D0E2ACE0CAF78E6C2D802554FC63F7E
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-11-24T20:18:56.956Z","profileAgeCreated":1696486829272,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.591422877841106
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	922'112 bytes
MD5:	667bf6cd0b76dd2dc3c2e66827a1c44a
SHA1:	9aff90b8016f3a956f018399d0e1b82593bf3e3e
SHA256:	6dfecc3e888281b0fd6cbebcbc35f7ad42de55f1cf9d1b9ab208eeb5d8e11fce
SHA512:	5aeb9bf3e0fd4a0ddb1be6ed9b123d9da4e2e0f6527f761046bf8ec3770bd75c75a4a7b79d4a7cfec65627c4eea6b270b4c922c67a524ee92fe4b585a2fba0f4
SSDEEP:	12288:EqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga2TQj:EqDEvCTbMWu7rQYlBQcBiT6rprG8aOm
TLSH:	10159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x674375EE [Sun Nov 24 18:52:30 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F3BB4E75A03h
jmp 00007F3BB4E7530Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F3BB4E754EDh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F3BB4E754BAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F3BB4E780ADh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F3BB4E780F8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F3BB4E780E1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0xa718	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xdf000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0xa718	0xa800	7165d977e5f03c7e9f24dba915d84570	False	0.365234375	data	5.610895965200327	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xdf000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x19e0	data			1.0016606280193237
RT_GROUP_ICON	0xde198	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xde210	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xde224	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xde238	0x14	data	English	Great Britain	1.25
RT_VERSION	0xde24c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xde328	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 24, 2024 20:01:15.215961933 CET	49732	443	192.168.2.6	35.190.72.216
Nov 24, 2024 20:01:15.216058016 CET	443	49732	35.190.72.216	192.168.2.6
Nov 24, 2024 20:01:15.217550993 CET	49732	443	192.168.2.6	35.190.72.216
Nov 24, 2024 20:01:15.221944094 CET	49732	443	192.168.2.6	35.190.72.216
Nov 24, 2024 20:01:15.221983910 CET	443	49732	35.190.72.216	192.168.2.6
Nov 24, 2024 20:01:16.426687002 CET	49741	443	192.168.2.6	142.250.181.142
Nov 24, 2024 20:01:16.426769018 CET	443	49741	142.250.181.142	192.168.2.6
Nov 24, 2024 20:01:16.426799059 CET	49742	443	192.168.2.6	142.250.181.142
Nov 24, 2024 20:01:16.426841974 CET	443	49742	142.250.181.142	192.168.2.6
Nov 24, 2024 20:01:16.427891016 CET	49741	443	192.168.2.6	142.250.181.142
Nov 24, 2024 20:01:16.428105116 CET	49742	443	192.168.2.6	142.250.181.142
Nov 24, 2024 20:01:16.429466009 CET	49741	443	192.168.2.6	142.250.181.142
Nov 24, 2024 20:01:16.429502964 CET	443	49741	142.250.181.142	192.168.2.6
Nov 24, 2024 20:01:16.430866957 CET	49742	443	192.168.2.6	142.250.181.142
Nov 24, 2024 20:01:16.430887938 CET	443	49742	142.250.181.142	192.168.2.6
Nov 24, 2024 20:01:16.445334911 CET	49743	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:01:16.516829014 CET	443	49732	35.190.72.216	192.168.2.6
Nov 24, 2024 20:01:16.516915083 CET	49732	443	192.168.2.6	35.190.72.216
Nov 24, 2024 20:01:16.525712013 CET	49732	443	192.168.2.6	35.190.72.216
Nov 24, 2024 20:01:16.525738001 CET	443	49732	35.190.72.216	192.168.2.6
Nov 24, 2024 20:01:16.525857925 CET	49732	443	192.168.2.6	35.190.72.216
Nov 24, 2024 20:01:16.526230097 CET	443	49732	35.190.72.216	192.168.2.6
Nov 24, 2024 20:01:16.530839920 CET	49732	443	192.168.2.6	35.190.72.216
Nov 24, 2024 20:01:16.569499969 CET	80	49743	34.107.221.82	192.168.2.6
Nov 24, 2024 20:01:16.569580078 CET	49743	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:01:16.569736958 CET	49743	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:01:16.723397970 CET	80	49743	34.107.221.82	192.168.2.6
Nov 24, 2024 20:01:17.336410999 CET	49747	443	192.168.2.6	35.244.181.201
Nov 24, 2024 20:01:17.336469889 CET	443	49747	35.244.181.201	192.168.2.6
Nov 24, 2024 20:01:17.337404966 CET	49748	443	192.168.2.6	34.117.188.166
Nov 24, 2024 20:01:17.337450981 CET	443	49748	34.117.188.166	192.168.2.6
Nov 24, 2024 20:01:17.338599920 CET	49749	443	192.168.2.6	34.117.188.166
Nov 24, 2024 20:01:17.338638067 CET	443	49749	34.117.188.166	192.168.2.6
Nov 24, 2024 20:01:17.340354919 CET	49747	443	192.168.2.6	35.244.181.201
Nov 24, 2024 20:01:17.340367079 CET	49748	443	192.168.2.6	34.117.188.166
Nov 24, 2024 20:01:17.340368032 CET	49749	443	192.168.2.6	34.117.188.166
Nov 24, 2024 20:01:17.340837955 CET	49747	443	192.168.2.6	35.244.181.201
Nov 24, 2024 20:01:17.340858936 CET	443	49747	35.244.181.201	192.168.2.6
Nov 24, 2024 20:01:17.342338085 CET	49748	443	192.168.2.6	34.117.188.166
Nov 24, 2024 20:01:17.342360973 CET	443	49748	34.117.188.166	192.168.2.6
Nov 24, 2024 20:01:17.343692064 CET	49749	443	192.168.2.6	34.117.188.166
Nov 24, 2024 20:01:17.343708038 CET	443	49749	34.117.188.166	192.168.2.6
Nov 24, 2024 20:01:17.769629002 CET	80	49743	34.107.221.82	192.168.2.6
Nov 24, 2024 20:01:17.794291973 CET	49750	443	192.168.2.6	34.160.144.191
Nov 24, 2024 20:01:17.794327021 CET	443	49750	34.160.144.191	192.168.2.6
Nov 24, 2024 20:01:17.799554110 CET	49750	443	192.168.2.6	34.160.144.191
Nov 24, 2024 20:01:17.799704075 CET	49750	443	192.168.2.6	34.160.144.191
Nov 24, 2024 20:01:17.799730062 CET	443	49750	34.160.144.191	192.168.2.6
Nov 24, 2024 20:01:17.817163944 CET	49743	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:01:18.204267025 CET	49751	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:01:18.244780064 CET	443	49741	142.250.181.142	192.168.2.6
Nov 24, 2024 20:01:18.245687008 CET	443	49742	142.250.181.142	192.168.2.6
Nov 24, 2024 20:01:18.245790005 CET	443	49741	142.250.181.142	192.168.2.6
Nov 24, 2024 20:01:18.246418953 CET	443	49742	142.250.181.142	192.168.2.6
Nov 24, 2024 20:01:18.249526978 CET	49741	443	192.168.2.6	142.250.181.142
Nov 24, 2024 20:01:18.249557972 CET	443	49741	142.250.181.142	192.168.2.6
Nov 24, 2024 20:01:18.255341053 CET	443	49742	142.250.181.142	192.168.2.6
Nov 24, 2024 20:01:18.259361029 CET	443	49741	142.250.181.142	192.168.2.6
Nov 24, 2024 20:01:18.281860113 CET	49742	443	192.168.2.6	142.250.181.142
Nov 24, 2024 20:01:18.281869888 CET	49741	443	192.168.2.6	142.250.181.142
Nov 24, 2024 20:01:18.288316011 CET	49741	443	192.168.2.6	142.250.181.142
Nov 24, 2024 20:01:18.288342953 CET	443	49741	142.250.181.142	192.168.2.6
Nov 24, 2024 20:01:18.288408041 CET	49741	443	192.168.2.6	142.250.181.142
Nov 24, 2024 20:01:18.288687944 CET	49741	443	192.168.2.6	142.250.181.142
Nov 24, 2024 20:01:18.289011955 CET	443	49741	142.250.181.142	192.168.2.6
Nov 24, 2024 20:01:18.291908026 CET	49742	443	192.168.2.6	142.250.181.142
Nov 24, 2024 20:01:18.291927099 CET	443	49742	142.250.181.142	192.168.2.6
Nov 24, 2024 20:01:18.291987896 CET	49742	443	192.168.2.6	142.250.181.142
Nov 24, 2024 20:01:18.292136908 CET	443	49742	142.250.181.142	192.168.2.6
Nov 24, 2024 20:01:18.292272091 CET	49741	443	192.168.2.6	142.250.181.142
Nov 24, 2024 20:01:18.292273045 CET	49742	443	192.168.2.6	142.250.181.142
Nov 24, 2024 20:01:18.370804071 CET	80	49751	34.107.221.82	192.168.2.6
Nov 24, 2024 20:01:18.375005960 CET	49751	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:01:18.375005960 CET	49751	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:01:18.542526007 CET	80	49751	34.107.221.82	192.168.2.6
Nov 24, 2024 20:01:18.858927011 CET	443	49748	34.117.188.166	192.168.2.6
Nov 24, 2024 20:01:18.860246897 CET	49748	443	192.168.2.6	34.117.188.166
Nov 24, 2024 20:01:18.863132954 CET	49748	443	192.168.2.6	34.117.188.166
Nov 24, 2024 20:01:18.863157034 CET	443	49748	34.117.188.166	192.168.2.6
Nov 24, 2024 20:01:18.863219976 CET	49748	443	192.168.2.6	34.117.188.166
Nov 24, 2024 20:01:18.863353014 CET	443	49748	34.117.188.166	192.168.2.6
Nov 24, 2024 20:01:18.866082907 CET	49748	443	192.168.2.6	34.117.188.166
Nov 24, 2024 20:01:18.896702051 CET	443	49747	35.244.181.201	192.168.2.6
Nov 24, 2024 20:01:18.896969080 CET	49747	443	192.168.2.6	35.244.181.201
Nov 24, 2024 20:01:18.900254965 CET	49747	443	192.168.2.6	35.244.181.201
Nov 24, 2024 20:01:18.900266886 CET	443	49747	35.244.181.201	192.168.2.6
Nov 24, 2024 20:01:18.900675058 CET	443	49747	35.244.181.201	192.168.2.6
Nov 24, 2024 20:01:18.902537107 CET	49747	443	192.168.2.6	35.244.181.201
Nov 24, 2024 20:01:18.902628899 CET	49747	443	192.168.2.6	35.244.181.201
Nov 24, 2024 20:01:18.902724028 CET	443	49747	35.244.181.201	192.168.2.6
Nov 24, 2024 20:01:18.902942896 CET	49747	443	192.168.2.6	35.244.181.201
Nov 24, 2024 20:01:18.902944088 CET	49747	443	192.168.2.6	35.244.181.201
Nov 24, 2024 20:01:19.024389029 CET	443	49749	34.117.188.166	192.168.2.6
Nov 24, 2024 20:01:19.025197983 CET	49749	443	192.168.2.6	34.117.188.166
Nov 24, 2024 20:01:19.030631065 CET	49749	443	192.168.2.6	34.117.188.166
Nov 24, 2024 20:01:19.030641079 CET	443	49749	34.117.188.166	192.168.2.6
Nov 24, 2024 20:01:19.030725002 CET	49749	443	192.168.2.6	34.117.188.166
Nov 24, 2024 20:01:19.030966997 CET	443	49749	34.117.188.166	192.168.2.6
Nov 24, 2024 20:01:19.031146049 CET	49749	443	192.168.2.6	34.117.188.166
Nov 24, 2024 20:01:19.153022051 CET	49743	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:01:19.300025940 CET	80	49743	34.107.221.82	192.168.2.6
Nov 24, 2024 20:01:19.300124884 CET	49743	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:01:19.407723904 CET	443	49750	34.160.144.191	192.168.2.6
Nov 24, 2024 20:01:19.409207106 CET	49750	443	192.168.2.6	34.160.144.191
Nov 24, 2024 20:01:19.412482977 CET	49750	443	192.168.2.6	34.160.144.191
Nov 24, 2024 20:01:19.412507057 CET	443	49750	34.160.144.191	192.168.2.6
Nov 24, 2024 20:01:19.412815094 CET	443	49750	34.160.144.191	192.168.2.6
Nov 24, 2024 20:01:19.414426088 CET	49750	443	192.168.2.6	34.160.144.191
Nov 24, 2024 20:01:19.414506912 CET	49750	443	192.168.2.6	34.160.144.191
Nov 24, 2024 20:01:19.414575100 CET	443	49750	34.160.144.191	192.168.2.6
Nov 24, 2024 20:01:19.414673090 CET	49750	443	192.168.2.6	34.160.144.191
Nov 24, 2024 20:01:19.414674044 CET	49750	443	192.168.2.6	34.160.144.191
Nov 24, 2024 20:01:19.589698076 CET	49761	443	192.168.2.6	34.117.188.166
Nov 24, 2024 20:01:19.589764118 CET	443	49761	34.117.188.166	192.168.2.6
Nov 24, 2024 20:01:19.592020035 CET	49761	443	192.168.2.6	34.117.188.166
Nov 24, 2024 20:01:19.593528986 CET	49761	443	192.168.2.6	34.117.188.166
Nov 24, 2024 20:01:19.593555927 CET	443	49761	34.117.188.166	192.168.2.6
Nov 24, 2024 20:01:19.725667000 CET	80	49751	34.107.221.82	192.168.2.6
Nov 24, 2024 20:01:19.726097107 CET	49751	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:01:19.792186975 CET	49762	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:01:19.908770084 CET	80	49751	34.107.221.82	192.168.2.6
Nov 24, 2024 20:01:19.914030075 CET	49751	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:01:19.918406010 CET	80	49762	34.107.221.82	192.168.2.6
Nov 24, 2024 20:01:19.923774004 CET	49762	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:01:19.924010038 CET	49762	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:01:20.091567993 CET	80	49762	34.107.221.82	192.168.2.6
Nov 24, 2024 20:01:20.934209108 CET	443	49761	34.117.188.166	192.168.2.6
Nov 24, 2024 20:01:20.943332911 CET	443	49761	34.117.188.166	192.168.2.6
Nov 24, 2024 20:01:20.947760105 CET	49761	443	192.168.2.6	34.117.188.166
Nov 24, 2024 20:01:20.976231098 CET	49765	443	192.168.2.6	34.107.243.93
Nov 24, 2024 20:01:20.976248980 CET	443	49765	34.107.243.93	192.168.2.6
Nov 24, 2024 20:01:20.978928089 CET	49765	443	192.168.2.6	34.107.243.93
Nov 24, 2024 20:01:20.980670929 CET	49765	443	192.168.2.6	34.107.243.93
Nov 24, 2024 20:01:20.980684042 CET	443	49765	34.107.243.93	192.168.2.6
Nov 24, 2024 20:01:20.980947971 CET	49761	443	192.168.2.6	34.117.188.166
Nov 24, 2024 20:01:20.980969906 CET	443	49761	34.117.188.166	192.168.2.6
Nov 24, 2024 20:01:20.981039047 CET	49761	443	192.168.2.6	34.117.188.166
Nov 24, 2024 20:01:20.981257915 CET	443	49761	34.117.188.166	192.168.2.6
Nov 24, 2024 20:01:20.981362104 CET	49766	443	192.168.2.6	34.117.188.166
Nov 24, 2024 20:01:20.981390953 CET	443	49766	34.117.188.166	192.168.2.6
Nov 24, 2024 20:01:20.993453026 CET	49761	443	192.168.2.6	34.117.188.166
Nov 24, 2024 20:01:20.993674040 CET	49766	443	192.168.2.6	34.117.188.166
Nov 24, 2024 20:01:20.995294094 CET	49766	443	192.168.2.6	34.117.188.166
Nov 24, 2024 20:01:20.995310068 CET	443	49766	34.117.188.166	192.168.2.6
Nov 24, 2024 20:01:21.103929043 CET	80	49762	34.107.221.82	192.168.2.6
Nov 24, 2024 20:01:21.212994099 CET	49762	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:01:22.260386944 CET	443	49766	34.117.188.166	192.168.2.6
Nov 24, 2024 20:01:22.260400057 CET	443	49766	34.117.188.166	192.168.2.6
Nov 24, 2024 20:01:22.260483027 CET	49766	443	192.168.2.6	34.117.188.166
Nov 24, 2024 20:01:22.264626980 CET	49766	443	192.168.2.6	34.117.188.166
Nov 24, 2024 20:01:22.264642954 CET	443	49766	34.117.188.166	192.168.2.6
Nov 24, 2024 20:01:22.264739990 CET	49766	443	192.168.2.6	34.117.188.166
Nov 24, 2024 20:01:22.264802933 CET	443	49766	34.117.188.166	192.168.2.6
Nov 24, 2024 20:01:22.264882088 CET	49766	443	192.168.2.6	34.117.188.166
Nov 24, 2024 20:01:22.293379068 CET	443	49765	34.107.243.93	192.168.2.6
Nov 24, 2024 20:01:22.293457985 CET	49765	443	192.168.2.6	34.107.243.93
Nov 24, 2024 20:01:22.297421932 CET	49765	443	192.168.2.6	34.107.243.93
Nov 24, 2024 20:01:22.297430992 CET	443	49765	34.107.243.93	192.168.2.6
Nov 24, 2024 20:01:22.297496080 CET	49765	443	192.168.2.6	34.107.243.93
Nov 24, 2024 20:01:22.297569990 CET	443	49765	34.107.243.93	192.168.2.6
Nov 24, 2024 20:01:22.297629118 CET	49765	443	192.168.2.6	34.107.243.93
Nov 24, 2024 20:01:22.833008051 CET	49762	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:01:22.843638897 CET	49773	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:01:23.100837946 CET	49774	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:01:23.149916887 CET	80	49762	34.107.221.82	192.168.2.6
Nov 24, 2024 20:01:23.149967909 CET	80	49773	34.107.221.82	192.168.2.6
Nov 24, 2024 20:01:23.150100946 CET	49773	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:01:23.150325060 CET	49773	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:01:23.169281006 CET	49775	443	192.168.2.6	35.244.181.201
Nov 24, 2024 20:01:23.169303894 CET	443	49775	35.244.181.201	192.168.2.6
Nov 24, 2024 20:01:23.169639111 CET	49775	443	192.168.2.6	35.244.181.201
Nov 24, 2024 20:01:23.169744015 CET	49775	443	192.168.2.6	35.244.181.201
Nov 24, 2024 20:01:23.169754982 CET	443	49775	35.244.181.201	192.168.2.6
Nov 24, 2024 20:01:23.170466900 CET	49776	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:01:23.170512915 CET	443	49776	34.120.208.123	192.168.2.6
Nov 24, 2024 20:01:23.171385050 CET	49777	443	192.168.2.6	34.149.100.209
Nov 24, 2024 20:01:23.171426058 CET	443	49777	34.149.100.209	192.168.2.6
Nov 24, 2024 20:01:23.171433926 CET	49776	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:01:23.172926903 CET	49776	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:01:23.172945976 CET	443	49776	34.120.208.123	192.168.2.6
Nov 24, 2024 20:01:23.173109055 CET	49777	443	192.168.2.6	34.149.100.209
Nov 24, 2024 20:01:23.174640894 CET	49777	443	192.168.2.6	34.149.100.209
Nov 24, 2024 20:01:23.174664974 CET	443	49777	34.149.100.209	192.168.2.6
Nov 24, 2024 20:01:23.232187986 CET	80	49774	34.107.221.82	192.168.2.6
Nov 24, 2024 20:01:23.232408047 CET	49774	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:01:23.301949978 CET	80	49773	34.107.221.82	192.168.2.6
Nov 24, 2024 20:01:23.353903055 CET	80	49762	34.107.221.82	192.168.2.6
Nov 24, 2024 20:01:23.422476053 CET	49762	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:01:24.360054016 CET	80	49773	34.107.221.82	192.168.2.6
Nov 24, 2024 20:01:24.454458952 CET	443	49775	35.244.181.201	192.168.2.6
Nov 24, 2024 20:01:24.456172943 CET	49775	443	192.168.2.6	35.244.181.201
Nov 24, 2024 20:01:24.456737041 CET	443	49777	34.149.100.209	192.168.2.6
Nov 24, 2024 20:01:24.458952904 CET	49775	443	192.168.2.6	35.244.181.201
Nov 24, 2024 20:01:24.458973885 CET	443	49775	35.244.181.201	192.168.2.6
Nov 24, 2024 20:01:24.459758997 CET	443	49775	35.244.181.201	192.168.2.6
Nov 24, 2024 20:01:24.461190939 CET	49775	443	192.168.2.6	35.244.181.201
Nov 24, 2024 20:01:24.461272955 CET	49775	443	192.168.2.6	35.244.181.201
Nov 24, 2024 20:01:24.461539030 CET	443	49775	35.244.181.201	192.168.2.6
Nov 24, 2024 20:01:24.466777086 CET	49775	443	192.168.2.6	35.244.181.201
Nov 24, 2024 20:01:24.466777086 CET	49775	443	192.168.2.6	35.244.181.201
Nov 24, 2024 20:01:24.466789007 CET	49777	443	192.168.2.6	34.149.100.209
Nov 24, 2024 20:01:24.470769882 CET	49777	443	192.168.2.6	34.149.100.209
Nov 24, 2024 20:01:24.470818996 CET	443	49777	34.149.100.209	192.168.2.6
Nov 24, 2024 20:01:24.470884085 CET	49777	443	192.168.2.6	34.149.100.209
Nov 24, 2024 20:01:24.471019030 CET	443	49777	34.149.100.209	192.168.2.6
Nov 24, 2024 20:01:24.471239090 CET	49783	443	192.168.2.6	34.149.100.209
Nov 24, 2024 20:01:24.471277952 CET	443	49783	34.149.100.209	192.168.2.6
Nov 24, 2024 20:01:24.471752882 CET	49783	443	192.168.2.6	34.149.100.209
Nov 24, 2024 20:01:24.471775055 CET	49777	443	192.168.2.6	34.149.100.209
Nov 24, 2024 20:01:24.473234892 CET	49783	443	192.168.2.6	34.149.100.209
Nov 24, 2024 20:01:24.473249912 CET	443	49783	34.149.100.209	192.168.2.6
Nov 24, 2024 20:01:24.499578953 CET	443	49776	34.120.208.123	192.168.2.6
Nov 24, 2024 20:01:24.499752998 CET	49776	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:01:24.503998041 CET	49776	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:01:24.504007101 CET	443	49776	34.120.208.123	192.168.2.6
Nov 24, 2024 20:01:24.504075050 CET	49776	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:01:24.504196882 CET	443	49776	34.120.208.123	192.168.2.6
Nov 24, 2024 20:01:24.504414082 CET	49776	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:01:24.509591103 CET	49773	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:01:25.813406944 CET	443	49783	34.149.100.209	192.168.2.6
Nov 24, 2024 20:01:25.813491106 CET	49783	443	192.168.2.6	34.149.100.209
Nov 24, 2024 20:01:25.818675041 CET	49783	443	192.168.2.6	34.149.100.209
Nov 24, 2024 20:01:25.818685055 CET	443	49783	34.149.100.209	192.168.2.6
Nov 24, 2024 20:01:25.818768024 CET	49783	443	192.168.2.6	34.149.100.209
Nov 24, 2024 20:01:25.818900108 CET	443	49783	34.149.100.209	192.168.2.6
Nov 24, 2024 20:01:25.819000959 CET	49783	443	192.168.2.6	34.149.100.209
Nov 24, 2024 20:01:26.881889105 CET	49773	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:01:26.897485018 CET	49762	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:01:27.001818895 CET	80	49773	34.107.221.82	192.168.2.6
Nov 24, 2024 20:01:27.017486095 CET	80	49762	34.107.221.82	192.168.2.6
Nov 24, 2024 20:01:27.044024944 CET	49790	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:01:27.044080019 CET	443	49790	34.120.208.123	192.168.2.6
Nov 24, 2024 20:01:27.045757055 CET	49790	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:01:27.047156096 CET	49790	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:01:27.047174931 CET	443	49790	34.120.208.123	192.168.2.6
Nov 24, 2024 20:01:27.202949047 CET	49791	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:01:27.202980995 CET	443	49791	34.120.208.123	192.168.2.6
Nov 24, 2024 20:01:27.204775095 CET	49791	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:01:27.204999924 CET	49791	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:01:27.205009937 CET	443	49791	34.120.208.123	192.168.2.6
Nov 24, 2024 20:01:27.214942932 CET	80	49773	34.107.221.82	192.168.2.6
Nov 24, 2024 20:01:27.221592903 CET	80	49762	34.107.221.82	192.168.2.6
Nov 24, 2024 20:01:27.264216900 CET	49773	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:01:27.264249086 CET	49762	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:01:27.347840071 CET	49792	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:01:27.347897053 CET	443	49792	34.120.208.123	192.168.2.6
Nov 24, 2024 20:01:27.348917007 CET	49792	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:01:27.349356890 CET	49792	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:01:27.349383116 CET	443	49792	34.120.208.123	192.168.2.6
Nov 24, 2024 20:01:28.453912973 CET	443	49790	34.120.208.123	192.168.2.6
Nov 24, 2024 20:01:28.456939936 CET	49790	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:01:28.553945065 CET	443	49791	34.120.208.123	192.168.2.6
Nov 24, 2024 20:01:28.554029942 CET	49791	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:01:28.556516886 CET	49791	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:01:28.556521893 CET	443	49791	34.120.208.123	192.168.2.6
Nov 24, 2024 20:01:28.556777000 CET	443	49791	34.120.208.123	192.168.2.6
Nov 24, 2024 20:01:28.610846043 CET	49791	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:01:28.668692112 CET	443	49792	34.120.208.123	192.168.2.6
Nov 24, 2024 20:01:28.668804884 CET	49792	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:01:28.820837975 CET	49792	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:01:28.820858955 CET	443	49792	34.120.208.123	192.168.2.6
Nov 24, 2024 20:01:28.821176052 CET	443	49792	34.120.208.123	192.168.2.6
Nov 24, 2024 20:01:28.824008942 CET	49790	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:01:28.824060917 CET	443	49790	34.120.208.123	192.168.2.6
Nov 24, 2024 20:01:28.824208021 CET	49790	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:01:28.824603081 CET	443	49790	34.120.208.123	192.168.2.6
Nov 24, 2024 20:01:28.824647903 CET	49791	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:01:28.824701071 CET	49791	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:01:28.824779034 CET	49790	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:01:28.825005054 CET	443	49791	34.120.208.123	192.168.2.6
Nov 24, 2024 20:01:28.825274944 CET	49791	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:01:28.825612068 CET	49792	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:01:28.825721025 CET	49792	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:01:28.825779915 CET	443	49792	34.120.208.123	192.168.2.6
Nov 24, 2024 20:01:28.825845957 CET	49792	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:01:28.863725901 CET	49773	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:01:29.004204035 CET	80	49773	34.107.221.82	192.168.2.6
Nov 24, 2024 20:01:29.156270981 CET	49762	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:01:29.160279989 CET	49797	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:01:29.160311937 CET	443	49797	34.120.208.123	192.168.2.6
Nov 24, 2024 20:01:29.161102057 CET	49798	443	192.168.2.6	34.107.243.93
Nov 24, 2024 20:01:29.161111116 CET	443	49798	34.107.243.93	192.168.2.6
Nov 24, 2024 20:01:29.163521051 CET	49797	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:01:29.163521051 CET	49798	443	192.168.2.6	34.107.243.93
Nov 24, 2024 20:01:29.164925098 CET	49797	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:01:29.164937019 CET	443	49797	34.120.208.123	192.168.2.6
Nov 24, 2024 20:01:29.166625023 CET	49798	443	192.168.2.6	34.107.243.93
Nov 24, 2024 20:01:29.166635036 CET	443	49798	34.107.243.93	192.168.2.6
Nov 24, 2024 20:01:29.166757107 CET	49774	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:01:29.217617035 CET	80	49773	34.107.221.82	192.168.2.6
Nov 24, 2024 20:01:29.269455910 CET	49773	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:01:29.275719881 CET	80	49762	34.107.221.82	192.168.2.6
Nov 24, 2024 20:01:29.286694050 CET	80	49774	34.107.221.82	192.168.2.6
Nov 24, 2024 20:01:29.286762953 CET	49774	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:01:29.480185986 CET	80	49762	34.107.221.82	192.168.2.6
Nov 24, 2024 20:01:29.531558990 CET	49762	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:01:29.546951056 CET	49773	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:01:29.666570902 CET	80	49773	34.107.221.82	192.168.2.6
Nov 24, 2024 20:01:29.880883932 CET	80	49773	34.107.221.82	192.168.2.6
Nov 24, 2024 20:01:29.932723045 CET	49773	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:01:30.448653936 CET	443	49798	34.107.243.93	192.168.2.6
Nov 24, 2024 20:01:30.448910952 CET	49798	443	192.168.2.6	34.107.243.93
Nov 24, 2024 20:01:30.461647987 CET	443	49797	34.120.208.123	192.168.2.6
Nov 24, 2024 20:01:30.461829901 CET	49797	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:01:31.048657894 CET	49798	443	192.168.2.6	34.107.243.93
Nov 24, 2024 20:01:31.048681021 CET	443	49798	34.107.243.93	192.168.2.6
Nov 24, 2024 20:01:31.048743963 CET	49798	443	192.168.2.6	34.107.243.93
Nov 24, 2024 20:01:31.048913956 CET	443	49798	34.107.243.93	192.168.2.6
Nov 24, 2024 20:01:31.049130917 CET	49797	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:01:31.049144983 CET	443	49797	34.120.208.123	192.168.2.6
Nov 24, 2024 20:01:31.049217939 CET	49797	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:01:31.049784899 CET	443	49797	34.120.208.123	192.168.2.6
Nov 24, 2024 20:01:31.050076962 CET	49798	443	192.168.2.6	34.107.243.93
Nov 24, 2024 20:01:31.050214052 CET	49797	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:01:31.250386000 CET	49762	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:01:31.375652075 CET	80	49762	34.107.221.82	192.168.2.6
Nov 24, 2024 20:01:31.579802036 CET	80	49762	34.107.221.82	192.168.2.6
Nov 24, 2024 20:01:31.622081041 CET	49762	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:01:34.860956907 CET	49773	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:01:34.987504959 CET	80	49773	34.107.221.82	192.168.2.6
Nov 24, 2024 20:01:35.201546907 CET	80	49773	34.107.221.82	192.168.2.6
Nov 24, 2024 20:01:35.246891022 CET	49773	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:01:41.385369062 CET	49829	443	192.168.2.6	34.107.243.93
Nov 24, 2024 20:01:41.385426044 CET	443	49829	34.107.243.93	192.168.2.6
Nov 24, 2024 20:01:41.385749102 CET	49829	443	192.168.2.6	34.107.243.93
Nov 24, 2024 20:01:41.387227058 CET	49829	443	192.168.2.6	34.107.243.93
Nov 24, 2024 20:01:41.387250900 CET	443	49829	34.107.243.93	192.168.2.6
Nov 24, 2024 20:01:41.594235897 CET	49762	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:01:41.720886946 CET	80	49762	34.107.221.82	192.168.2.6
Nov 24, 2024 20:01:42.599545956 CET	443	49829	34.107.243.93	192.168.2.6
Nov 24, 2024 20:01:42.599621058 CET	49829	443	192.168.2.6	34.107.243.93
Nov 24, 2024 20:01:42.604042053 CET	49829	443	192.168.2.6	34.107.243.93
Nov 24, 2024 20:01:42.604044914 CET	443	49829	34.107.243.93	192.168.2.6
Nov 24, 2024 20:01:42.604151964 CET	443	49829	34.107.243.93	192.168.2.6
Nov 24, 2024 20:01:42.604156971 CET	49829	443	192.168.2.6	34.107.243.93
Nov 24, 2024 20:01:42.604162931 CET	443	49829	34.107.243.93	192.168.2.6
Nov 24, 2024 20:01:42.604392052 CET	49829	443	192.168.2.6	34.107.243.93
Nov 24, 2024 20:01:42.607454062 CET	49762	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:01:42.740111113 CET	80	49762	34.107.221.82	192.168.2.6
Nov 24, 2024 20:01:42.945031881 CET	80	49762	34.107.221.82	192.168.2.6
Nov 24, 2024 20:01:42.948769093 CET	49773	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:01:42.998424053 CET	49762	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:01:43.086752892 CET	80	49773	34.107.221.82	192.168.2.6
Nov 24, 2024 20:01:43.310586929 CET	80	49773	34.107.221.82	192.168.2.6
Nov 24, 2024 20:01:43.352725029 CET	49773	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:01:43.831816912 CET	49835	443	192.168.2.6	34.149.100.209
Nov 24, 2024 20:01:43.831868887 CET	443	49835	34.149.100.209	192.168.2.6
Nov 24, 2024 20:01:43.832232952 CET	49835	443	192.168.2.6	34.149.100.209
Nov 24, 2024 20:01:43.832336903 CET	49835	443	192.168.2.6	34.149.100.209
Nov 24, 2024 20:01:43.832345009 CET	443	49835	34.149.100.209	192.168.2.6
Nov 24, 2024 20:01:43.857777119 CET	49836	443	192.168.2.6	35.190.72.216
Nov 24, 2024 20:01:43.857831001 CET	443	49836	35.190.72.216	192.168.2.6
Nov 24, 2024 20:01:43.862684965 CET	49836	443	192.168.2.6	35.190.72.216
Nov 24, 2024 20:01:43.864110947 CET	49836	443	192.168.2.6	35.190.72.216
Nov 24, 2024 20:01:43.864123106 CET	443	49836	35.190.72.216	192.168.2.6
Nov 24, 2024 20:01:44.052376032 CET	49837	443	192.168.2.6	151.101.193.91
Nov 24, 2024 20:01:44.052431107 CET	443	49837	151.101.193.91	192.168.2.6
Nov 24, 2024 20:01:44.052881002 CET	49837	443	192.168.2.6	151.101.193.91
Nov 24, 2024 20:01:44.053272009 CET	49837	443	192.168.2.6	151.101.193.91
Nov 24, 2024 20:01:44.053283930 CET	443	49837	151.101.193.91	192.168.2.6
Nov 24, 2024 20:01:44.209650040 CET	49838	443	192.168.2.6	35.201.103.21
Nov 24, 2024 20:01:44.209707022 CET	443	49838	35.201.103.21	192.168.2.6
Nov 24, 2024 20:01:44.209989071 CET	49838	443	192.168.2.6	35.201.103.21
Nov 24, 2024 20:01:44.211519003 CET	49838	443	192.168.2.6	35.201.103.21
Nov 24, 2024 20:01:44.211534023 CET	443	49838	35.201.103.21	192.168.2.6
Nov 24, 2024 20:01:44.265283108 CET	49839	443	192.168.2.6	35.244.181.201
Nov 24, 2024 20:01:44.265316963 CET	443	49839	35.244.181.201	192.168.2.6
Nov 24, 2024 20:01:44.265547037 CET	49839	443	192.168.2.6	35.244.181.201
Nov 24, 2024 20:01:44.265677929 CET	49839	443	192.168.2.6	35.244.181.201
Nov 24, 2024 20:01:44.265695095 CET	443	49839	35.244.181.201	192.168.2.6
Nov 24, 2024 20:01:45.091403961 CET	443	49835	34.149.100.209	192.168.2.6
Nov 24, 2024 20:01:45.091589928 CET	49835	443	192.168.2.6	34.149.100.209
Nov 24, 2024 20:01:45.094542027 CET	49835	443	192.168.2.6	34.149.100.209
Nov 24, 2024 20:01:45.094563961 CET	443	49835	34.149.100.209	192.168.2.6
Nov 24, 2024 20:01:45.094813108 CET	443	49835	34.149.100.209	192.168.2.6
Nov 24, 2024 20:01:45.096889973 CET	49835	443	192.168.2.6	34.149.100.209
Nov 24, 2024 20:01:45.097013950 CET	49835	443	192.168.2.6	34.149.100.209
Nov 24, 2024 20:01:45.097063065 CET	443	49835	34.149.100.209	192.168.2.6
Nov 24, 2024 20:01:45.097546101 CET	49835	443	192.168.2.6	34.149.100.209
Nov 24, 2024 20:01:45.102524042 CET	49762	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:01:45.176722050 CET	443	49836	35.190.72.216	192.168.2.6
Nov 24, 2024 20:01:45.176817894 CET	49836	443	192.168.2.6	35.190.72.216
Nov 24, 2024 20:01:45.180995941 CET	49836	443	192.168.2.6	35.190.72.216
Nov 24, 2024 20:01:45.181003094 CET	443	49836	35.190.72.216	192.168.2.6
Nov 24, 2024 20:01:45.181142092 CET	49836	443	192.168.2.6	35.190.72.216
Nov 24, 2024 20:01:45.181181908 CET	443	49836	35.190.72.216	192.168.2.6
Nov 24, 2024 20:01:45.181363106 CET	49836	443	192.168.2.6	35.190.72.216
Nov 24, 2024 20:01:45.244313002 CET	80	49762	34.107.221.82	192.168.2.6
Nov 24, 2024 20:01:45.275703907 CET	443	49837	151.101.193.91	192.168.2.6
Nov 24, 2024 20:01:45.275820017 CET	49837	443	192.168.2.6	151.101.193.91
Nov 24, 2024 20:01:45.278755903 CET	49837	443	192.168.2.6	151.101.193.91
Nov 24, 2024 20:01:45.278770924 CET	443	49837	151.101.193.91	192.168.2.6
Nov 24, 2024 20:01:45.279028893 CET	443	49837	151.101.193.91	192.168.2.6
Nov 24, 2024 20:01:45.280771971 CET	49837	443	192.168.2.6	151.101.193.91
Nov 24, 2024 20:01:45.280879974 CET	49837	443	192.168.2.6	151.101.193.91
Nov 24, 2024 20:01:45.280992985 CET	443	49837	151.101.193.91	192.168.2.6
Nov 24, 2024 20:01:45.285298109 CET	49837	443	192.168.2.6	151.101.193.91
Nov 24, 2024 20:01:45.285319090 CET	49837	443	192.168.2.6	151.101.193.91
Nov 24, 2024 20:01:45.289572954 CET	49842	443	192.168.2.6	35.244.181.201
Nov 24, 2024 20:01:45.289623022 CET	443	49842	35.244.181.201	192.168.2.6
Nov 24, 2024 20:01:45.289736986 CET	49842	443	192.168.2.6	35.244.181.201
Nov 24, 2024 20:01:45.289895058 CET	49842	443	192.168.2.6	35.244.181.201
Nov 24, 2024 20:01:45.289906979 CET	443	49842	35.244.181.201	192.168.2.6
Nov 24, 2024 20:01:45.292022943 CET	49843	443	192.168.2.6	35.244.181.201
Nov 24, 2024 20:01:45.292042971 CET	443	49843	35.244.181.201	192.168.2.6
Nov 24, 2024 20:01:45.292387962 CET	49843	443	192.168.2.6	35.244.181.201
Nov 24, 2024 20:01:45.292517900 CET	49843	443	192.168.2.6	35.244.181.201
Nov 24, 2024 20:01:45.292526960 CET	443	49843	35.244.181.201	192.168.2.6
Nov 24, 2024 20:01:45.294574022 CET	49844	443	192.168.2.6	35.244.181.201
Nov 24, 2024 20:01:45.294604063 CET	443	49844	35.244.181.201	192.168.2.6
Nov 24, 2024 20:01:45.294675112 CET	49844	443	192.168.2.6	35.244.181.201
Nov 24, 2024 20:01:45.294756889 CET	49844	443	192.168.2.6	35.244.181.201
Nov 24, 2024 20:01:45.294768095 CET	443	49844	35.244.181.201	192.168.2.6
Nov 24, 2024 20:01:45.448493004 CET	80	49762	34.107.221.82	192.168.2.6
Nov 24, 2024 20:01:45.452120066 CET	49773	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:01:45.490317106 CET	49762	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:01:45.575285912 CET	80	49773	34.107.221.82	192.168.2.6
Nov 24, 2024 20:01:45.603904963 CET	443	49839	35.244.181.201	192.168.2.6
Nov 24, 2024 20:01:45.603991032 CET	49839	443	192.168.2.6	35.244.181.201
Nov 24, 2024 20:01:45.604751110 CET	443	49838	35.201.103.21	192.168.2.6
Nov 24, 2024 20:01:45.604820967 CET	49838	443	192.168.2.6	35.201.103.21
Nov 24, 2024 20:01:45.607542992 CET	49839	443	192.168.2.6	35.244.181.201
Nov 24, 2024 20:01:45.607564926 CET	443	49839	35.244.181.201	192.168.2.6
Nov 24, 2024 20:01:45.607875109 CET	443	49839	35.244.181.201	192.168.2.6
Nov 24, 2024 20:01:45.612996101 CET	49839	443	192.168.2.6	35.244.181.201
Nov 24, 2024 20:01:45.613229036 CET	443	49839	35.244.181.201	192.168.2.6
Nov 24, 2024 20:01:45.613248110 CET	49839	443	192.168.2.6	35.244.181.201
Nov 24, 2024 20:01:45.613262892 CET	443	49839	35.244.181.201	192.168.2.6
Nov 24, 2024 20:01:45.613667965 CET	49838	443	192.168.2.6	35.201.103.21
Nov 24, 2024 20:01:45.613689899 CET	443	49838	35.201.103.21	192.168.2.6
Nov 24, 2024 20:01:45.613718033 CET	49838	443	192.168.2.6	35.201.103.21
Nov 24, 2024 20:01:45.613862991 CET	443	49838	35.201.103.21	192.168.2.6
Nov 24, 2024 20:01:45.614103079 CET	49838	443	192.168.2.6	35.201.103.21
Nov 24, 2024 20:01:45.617621899 CET	49762	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:01:45.627127886 CET	49847	443	192.168.2.6	34.149.100.209
Nov 24, 2024 20:01:45.627167940 CET	443	49847	34.149.100.209	192.168.2.6
Nov 24, 2024 20:01:45.627227068 CET	49847	443	192.168.2.6	34.149.100.209
Nov 24, 2024 20:01:45.627332926 CET	49847	443	192.168.2.6	34.149.100.209
Nov 24, 2024 20:01:45.627342939 CET	443	49847	34.149.100.209	192.168.2.6
Nov 24, 2024 20:01:45.740989923 CET	80	49762	34.107.221.82	192.168.2.6
Nov 24, 2024 20:01:45.788921118 CET	80	49773	34.107.221.82	192.168.2.6
Nov 24, 2024 20:01:45.819334030 CET	443	49839	35.244.181.201	192.168.2.6
Nov 24, 2024 20:01:45.819408894 CET	49839	443	192.168.2.6	35.244.181.201
Nov 24, 2024 20:01:45.829000950 CET	49773	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:01:45.945647955 CET	80	49762	34.107.221.82	192.168.2.6
Nov 24, 2024 20:01:45.951977968 CET	49773	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:01:45.991826057 CET	49762	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:01:46.076967955 CET	80	49773	34.107.221.82	192.168.2.6
Nov 24, 2024 20:01:46.290221930 CET	80	49773	34.107.221.82	192.168.2.6
Nov 24, 2024 20:01:46.330543041 CET	49773	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:01:46.516855001 CET	443	49844	35.244.181.201	192.168.2.6
Nov 24, 2024 20:01:46.516956091 CET	49844	443	192.168.2.6	35.244.181.201
Nov 24, 2024 20:01:46.519875050 CET	49844	443	192.168.2.6	35.244.181.201
Nov 24, 2024 20:01:46.519900084 CET	443	49844	35.244.181.201	192.168.2.6
Nov 24, 2024 20:01:46.520186901 CET	443	49844	35.244.181.201	192.168.2.6
Nov 24, 2024 20:01:46.522361040 CET	49844	443	192.168.2.6	35.244.181.201
Nov 24, 2024 20:01:46.522460938 CET	49844	443	192.168.2.6	35.244.181.201
Nov 24, 2024 20:01:46.522546053 CET	443	49844	35.244.181.201	192.168.2.6
Nov 24, 2024 20:01:46.522639036 CET	49844	443	192.168.2.6	35.244.181.201
Nov 24, 2024 20:01:46.525428057 CET	49762	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:01:46.555107117 CET	443	49842	35.244.181.201	192.168.2.6
Nov 24, 2024 20:01:46.555205107 CET	49842	443	192.168.2.6	35.244.181.201
Nov 24, 2024 20:01:46.558244944 CET	49842	443	192.168.2.6	35.244.181.201
Nov 24, 2024 20:01:46.558286905 CET	443	49842	35.244.181.201	192.168.2.6
Nov 24, 2024 20:01:46.558595896 CET	443	49842	35.244.181.201	192.168.2.6
Nov 24, 2024 20:01:46.560976982 CET	49842	443	192.168.2.6	35.244.181.201
Nov 24, 2024 20:01:46.561088085 CET	49842	443	192.168.2.6	35.244.181.201
Nov 24, 2024 20:01:46.561197996 CET	443	49842	35.244.181.201	192.168.2.6
Nov 24, 2024 20:01:46.562457085 CET	49842	443	192.168.2.6	35.244.181.201
Nov 24, 2024 20:01:46.608005047 CET	443	49843	35.244.181.201	192.168.2.6
Nov 24, 2024 20:01:46.608398914 CET	49843	443	192.168.2.6	35.244.181.201
Nov 24, 2024 20:01:46.611658096 CET	49843	443	192.168.2.6	35.244.181.201
Nov 24, 2024 20:01:46.611675978 CET	443	49843	35.244.181.201	192.168.2.6
Nov 24, 2024 20:01:46.611962080 CET	443	49843	35.244.181.201	192.168.2.6
Nov 24, 2024 20:01:46.619152069 CET	49843	443	192.168.2.6	35.244.181.201
Nov 24, 2024 20:01:46.619246006 CET	49843	443	192.168.2.6	35.244.181.201
Nov 24, 2024 20:01:46.619369984 CET	443	49843	35.244.181.201	192.168.2.6
Nov 24, 2024 20:01:46.619784117 CET	49843	443	192.168.2.6	35.244.181.201
Nov 24, 2024 20:01:46.646250963 CET	80	49762	34.107.221.82	192.168.2.6
Nov 24, 2024 20:01:46.850507021 CET	80	49762	34.107.221.82	192.168.2.6
Nov 24, 2024 20:01:46.853858948 CET	49773	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:01:46.888350010 CET	443	49847	34.149.100.209	192.168.2.6
Nov 24, 2024 20:01:46.888447046 CET	49847	443	192.168.2.6	34.149.100.209
Nov 24, 2024 20:01:46.892067909 CET	49847	443	192.168.2.6	34.149.100.209
Nov 24, 2024 20:01:46.892077923 CET	443	49847	34.149.100.209	192.168.2.6
Nov 24, 2024 20:01:46.892334938 CET	443	49847	34.149.100.209	192.168.2.6
Nov 24, 2024 20:01:46.894587040 CET	49762	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:01:46.895347118 CET	49847	443	192.168.2.6	34.149.100.209
Nov 24, 2024 20:01:46.895447016 CET	49847	443	192.168.2.6	34.149.100.209
Nov 24, 2024 20:01:46.895520926 CET	443	49847	34.149.100.209	192.168.2.6
Nov 24, 2024 20:01:46.899000883 CET	49762	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:01:46.899645090 CET	49847	443	192.168.2.6	34.149.100.209
Nov 24, 2024 20:01:47.026207924 CET	80	49773	34.107.221.82	192.168.2.6
Nov 24, 2024 20:01:47.035151958 CET	80	49762	34.107.221.82	192.168.2.6
Nov 24, 2024 20:01:47.239042997 CET	80	49773	34.107.221.82	192.168.2.6
Nov 24, 2024 20:01:47.239949942 CET	80	49762	34.107.221.82	192.168.2.6
Nov 24, 2024 20:01:47.243344069 CET	49773	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:01:47.280147076 CET	49762	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:01:47.560787916 CET	80	49773	34.107.221.82	192.168.2.6
Nov 24, 2024 20:01:47.906980038 CET	80	49773	34.107.221.82	192.168.2.6
Nov 24, 2024 20:01:47.950979948 CET	49773	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:01:57.242753983 CET	49762	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:01:57.368210077 CET	80	49762	34.107.221.82	192.168.2.6
Nov 24, 2024 20:01:57.922597885 CET	49773	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:01:58.042681932 CET	80	49773	34.107.221.82	192.168.2.6
Nov 24, 2024 20:02:01.891870975 CET	49762	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:02:02.126517057 CET	80	49762	34.107.221.82	192.168.2.6
Nov 24, 2024 20:02:02.332653046 CET	80	49762	34.107.221.82	192.168.2.6
Nov 24, 2024 20:02:02.336829901 CET	49773	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:02:02.373140097 CET	49762	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:02:02.480902910 CET	80	49773	34.107.221.82	192.168.2.6
Nov 24, 2024 20:02:02.700146914 CET	80	49773	34.107.221.82	192.168.2.6
Nov 24, 2024 20:02:02.758722067 CET	49773	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:02:03.008263111 CET	49890	443	192.168.2.6	34.107.243.93
Nov 24, 2024 20:02:03.008327007 CET	443	49890	34.107.243.93	192.168.2.6
Nov 24, 2024 20:02:03.008627892 CET	49890	443	192.168.2.6	34.107.243.93
Nov 24, 2024 20:02:03.010092974 CET	49890	443	192.168.2.6	34.107.243.93
Nov 24, 2024 20:02:03.010107040 CET	443	49890	34.107.243.93	192.168.2.6
Nov 24, 2024 20:02:04.323002100 CET	443	49890	34.107.243.93	192.168.2.6
Nov 24, 2024 20:02:04.323128939 CET	49890	443	192.168.2.6	34.107.243.93
Nov 24, 2024 20:02:04.327719927 CET	49890	443	192.168.2.6	34.107.243.93
Nov 24, 2024 20:02:04.327728033 CET	443	49890	34.107.243.93	192.168.2.6
Nov 24, 2024 20:02:04.327828884 CET	49890	443	192.168.2.6	34.107.243.93
Nov 24, 2024 20:02:04.327903032 CET	443	49890	34.107.243.93	192.168.2.6
Nov 24, 2024 20:02:04.329186916 CET	49890	443	192.168.2.6	34.107.243.93
Nov 24, 2024 20:02:04.339956045 CET	49762	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:02:04.473349094 CET	80	49762	34.107.221.82	192.168.2.6
Nov 24, 2024 20:02:04.682014942 CET	80	49762	34.107.221.82	192.168.2.6
Nov 24, 2024 20:02:04.685190916 CET	49773	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:02:04.726775885 CET	49762	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:02:04.805516958 CET	80	49773	34.107.221.82	192.168.2.6
Nov 24, 2024 20:02:05.028426886 CET	80	49773	34.107.221.82	192.168.2.6
Nov 24, 2024 20:02:05.081044912 CET	49773	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:02:14.618982077 CET	49917	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:02:14.619024992 CET	443	49917	34.120.208.123	192.168.2.6
Nov 24, 2024 20:02:14.619461060 CET	49918	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:02:14.619518042 CET	443	49918	34.120.208.123	192.168.2.6
Nov 24, 2024 20:02:14.619746923 CET	49919	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:02:14.619760990 CET	443	49919	34.120.208.123	192.168.2.6
Nov 24, 2024 20:02:14.620547056 CET	49920	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:02:14.620589018 CET	443	49920	34.120.208.123	192.168.2.6
Nov 24, 2024 20:02:14.620923042 CET	49921	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:02:14.620954037 CET	443	49921	34.120.208.123	192.168.2.6
Nov 24, 2024 20:02:14.621192932 CET	49922	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:02:14.621206045 CET	443	49922	34.120.208.123	192.168.2.6
Nov 24, 2024 20:02:14.624560118 CET	49917	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:02:14.624583006 CET	49920	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:02:14.624594927 CET	49919	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:02:14.624594927 CET	49918	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:02:14.624596119 CET	49921	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:02:14.624620914 CET	49922	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:02:14.625255108 CET	49917	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:02:14.625272036 CET	443	49917	34.120.208.123	192.168.2.6
Nov 24, 2024 20:02:14.625411034 CET	49918	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:02:14.625426054 CET	443	49918	34.120.208.123	192.168.2.6
Nov 24, 2024 20:02:14.625478029 CET	49919	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:02:14.625493050 CET	443	49919	34.120.208.123	192.168.2.6
Nov 24, 2024 20:02:14.625543118 CET	49920	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:02:14.625564098 CET	443	49920	34.120.208.123	192.168.2.6
Nov 24, 2024 20:02:14.625607014 CET	49921	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:02:14.625626087 CET	443	49921	34.120.208.123	192.168.2.6
Nov 24, 2024 20:02:14.625668049 CET	49922	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:02:14.625675917 CET	443	49922	34.120.208.123	192.168.2.6
Nov 24, 2024 20:02:14.693492889 CET	49762	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:02:14.813914061 CET	80	49762	34.107.221.82	192.168.2.6
Nov 24, 2024 20:02:15.041256905 CET	49773	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:02:15.161349058 CET	80	49773	34.107.221.82	192.168.2.6
Nov 24, 2024 20:02:15.838855982 CET	443	49917	34.120.208.123	192.168.2.6
Nov 24, 2024 20:02:15.838937998 CET	49917	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:02:15.842180014 CET	49917	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:02:15.842194080 CET	443	49917	34.120.208.123	192.168.2.6
Nov 24, 2024 20:02:15.842438936 CET	443	49917	34.120.208.123	192.168.2.6
Nov 24, 2024 20:02:15.845210075 CET	49917	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:02:15.845338106 CET	49917	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:02:15.845361948 CET	443	49917	34.120.208.123	192.168.2.6
Nov 24, 2024 20:02:15.845873117 CET	49925	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:02:15.845927954 CET	443	49925	34.120.208.123	192.168.2.6
Nov 24, 2024 20:02:15.848241091 CET	49917	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:02:15.848299980 CET	49925	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:02:15.848493099 CET	49925	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:02:15.848520994 CET	443	49925	34.120.208.123	192.168.2.6
Nov 24, 2024 20:02:15.850084066 CET	49762	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:02:15.888317108 CET	443	49919	34.120.208.123	192.168.2.6
Nov 24, 2024 20:02:15.888405085 CET	49919	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:02:15.888616085 CET	443	49920	34.120.208.123	192.168.2.6
Nov 24, 2024 20:02:15.888690948 CET	49920	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:02:15.889596939 CET	443	49921	34.120.208.123	192.168.2.6
Nov 24, 2024 20:02:15.889759064 CET	49921	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:02:15.891699076 CET	49919	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:02:15.891707897 CET	443	49919	34.120.208.123	192.168.2.6
Nov 24, 2024 20:02:15.891974926 CET	443	49919	34.120.208.123	192.168.2.6
Nov 24, 2024 20:02:15.892362118 CET	443	49922	34.120.208.123	192.168.2.6
Nov 24, 2024 20:02:15.894201994 CET	49920	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:02:15.894221067 CET	443	49920	34.120.208.123	192.168.2.6
Nov 24, 2024 20:02:15.894380093 CET	49922	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:02:15.894494057 CET	443	49920	34.120.208.123	192.168.2.6
Nov 24, 2024 20:02:15.896439075 CET	49921	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:02:15.896460056 CET	443	49921	34.120.208.123	192.168.2.6
Nov 24, 2024 20:02:15.896800995 CET	443	49921	34.120.208.123	192.168.2.6
Nov 24, 2024 20:02:15.899363041 CET	49922	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:02:15.899377108 CET	443	49922	34.120.208.123	192.168.2.6
Nov 24, 2024 20:02:15.899779081 CET	443	49922	34.120.208.123	192.168.2.6
Nov 24, 2024 20:02:15.903794050 CET	49919	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:02:15.903953075 CET	443	49919	34.120.208.123	192.168.2.6
Nov 24, 2024 20:02:15.904036045 CET	49919	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:02:15.904045105 CET	443	49919	34.120.208.123	192.168.2.6
Nov 24, 2024 20:02:15.905092955 CET	49926	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:02:15.905137062 CET	443	49926	34.120.208.123	192.168.2.6
Nov 24, 2024 20:02:15.905148029 CET	49920	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:02:15.905246973 CET	49920	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:02:15.905349016 CET	443	49920	34.120.208.123	192.168.2.6
Nov 24, 2024 20:02:15.905503988 CET	49921	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:02:15.905561924 CET	49921	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:02:15.905741930 CET	443	49921	34.120.208.123	192.168.2.6
Nov 24, 2024 20:02:15.905965090 CET	49920	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:02:15.905986071 CET	49926	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:02:15.905987978 CET	49921	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:02:15.906161070 CET	49926	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:02:15.906172991 CET	443	49926	34.120.208.123	192.168.2.6
Nov 24, 2024 20:02:15.906348944 CET	49922	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:02:15.906436920 CET	49922	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:02:15.906588078 CET	443	49922	34.120.208.123	192.168.2.6
Nov 24, 2024 20:02:15.906872034 CET	49922	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:02:15.930491924 CET	443	49918	34.120.208.123	192.168.2.6
Nov 24, 2024 20:02:15.930562973 CET	49918	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:02:15.933454037 CET	49918	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:02:15.933459997 CET	443	49918	34.120.208.123	192.168.2.6
Nov 24, 2024 20:02:15.933721066 CET	443	49918	34.120.208.123	192.168.2.6
Nov 24, 2024 20:02:15.935697079 CET	49918	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:02:15.935853004 CET	443	49918	34.120.208.123	192.168.2.6
Nov 24, 2024 20:02:15.935909033 CET	49918	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:02:15.935914993 CET	443	49918	34.120.208.123	192.168.2.6
Nov 24, 2024 20:02:15.936286926 CET	49918	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:02:15.972716093 CET	80	49762	34.107.221.82	192.168.2.6
Nov 24, 2024 20:02:16.115334034 CET	443	49919	34.120.208.123	192.168.2.6
Nov 24, 2024 20:02:16.115432978 CET	49919	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:02:16.178786039 CET	80	49762	34.107.221.82	192.168.2.6
Nov 24, 2024 20:02:16.182261944 CET	49773	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:02:16.224920034 CET	49762	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:02:16.307389975 CET	80	49773	34.107.221.82	192.168.2.6
Nov 24, 2024 20:02:16.520709038 CET	80	49773	34.107.221.82	192.168.2.6
Nov 24, 2024 20:02:16.576881886 CET	49773	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:02:17.059304953 CET	443	49925	34.120.208.123	192.168.2.6
Nov 24, 2024 20:02:17.059408903 CET	49925	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:02:17.062504053 CET	49925	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:02:17.062536955 CET	443	49925	34.120.208.123	192.168.2.6
Nov 24, 2024 20:02:17.062772989 CET	443	49925	34.120.208.123	192.168.2.6
Nov 24, 2024 20:02:17.065005064 CET	49925	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:02:17.065144062 CET	49925	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:02:17.065165043 CET	443	49925	34.120.208.123	192.168.2.6
Nov 24, 2024 20:02:17.065315008 CET	49925	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:02:17.067884922 CET	49762	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:02:17.125453949 CET	443	49926	34.120.208.123	192.168.2.6
Nov 24, 2024 20:02:17.125519991 CET	49926	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:02:17.128379107 CET	49926	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:02:17.128397942 CET	443	49926	34.120.208.123	192.168.2.6
Nov 24, 2024 20:02:17.128635883 CET	443	49926	34.120.208.123	192.168.2.6
Nov 24, 2024 20:02:17.131299973 CET	49926	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:02:17.131299973 CET	49926	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:02:17.131516933 CET	443	49926	34.120.208.123	192.168.2.6
Nov 24, 2024 20:02:17.131571054 CET	49926	443	192.168.2.6	34.120.208.123
Nov 24, 2024 20:02:17.194394112 CET	80	49762	34.107.221.82	192.168.2.6
Nov 24, 2024 20:02:17.399296045 CET	80	49762	34.107.221.82	192.168.2.6
Nov 24, 2024 20:02:17.405164003 CET	49773	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:02:17.448328018 CET	49762	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:02:17.524856091 CET	80	49773	34.107.221.82	192.168.2.6
Nov 24, 2024 20:02:17.738162994 CET	80	49773	34.107.221.82	192.168.2.6
Nov 24, 2024 20:02:17.798496962 CET	49773	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:02:27.408752918 CET	49762	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:02:27.528496981 CET	80	49762	34.107.221.82	192.168.2.6
Nov 24, 2024 20:02:27.748132944 CET	49773	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:02:27.867800951 CET	80	49773	34.107.221.82	192.168.2.6
Nov 24, 2024 20:02:37.529649019 CET	49762	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:02:37.664062023 CET	80	49762	34.107.221.82	192.168.2.6
Nov 24, 2024 20:02:37.877415895 CET	49773	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:02:37.996988058 CET	80	49773	34.107.221.82	192.168.2.6
Nov 24, 2024 20:02:45.594885111 CET	49995	443	192.168.2.6	34.107.243.93
Nov 24, 2024 20:02:45.594960928 CET	443	49995	34.107.243.93	192.168.2.6
Nov 24, 2024 20:02:45.595086098 CET	49995	443	192.168.2.6	34.107.243.93
Nov 24, 2024 20:02:45.596549034 CET	49995	443	192.168.2.6	34.107.243.93
Nov 24, 2024 20:02:45.596575975 CET	443	49995	34.107.243.93	192.168.2.6
Nov 24, 2024 20:02:47.043190956 CET	443	49995	34.107.243.93	192.168.2.6
Nov 24, 2024 20:02:47.043276072 CET	49995	443	192.168.2.6	34.107.243.93
Nov 24, 2024 20:02:47.048858881 CET	49995	443	192.168.2.6	34.107.243.93
Nov 24, 2024 20:02:47.048883915 CET	443	49995	34.107.243.93	192.168.2.6
Nov 24, 2024 20:02:47.048966885 CET	49995	443	192.168.2.6	34.107.243.93
Nov 24, 2024 20:02:47.049020052 CET	443	49995	34.107.243.93	192.168.2.6
Nov 24, 2024 20:02:47.049115896 CET	49995	443	192.168.2.6	34.107.243.93
Nov 24, 2024 20:02:47.051755905 CET	49762	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:02:47.173619986 CET	80	49762	34.107.221.82	192.168.2.6
Nov 24, 2024 20:02:47.379795074 CET	80	49762	34.107.221.82	192.168.2.6
Nov 24, 2024 20:02:47.383681059 CET	49773	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:02:47.426049948 CET	49762	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:02:47.503633976 CET	80	49773	34.107.221.82	192.168.2.6
Nov 24, 2024 20:02:47.717154026 CET	80	49773	34.107.221.82	192.168.2.6
Nov 24, 2024 20:02:47.759455919 CET	49773	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:02:57.385919094 CET	49762	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:02:57.512192011 CET	80	49762	34.107.221.82	192.168.2.6
Nov 24, 2024 20:02:57.724136114 CET	49773	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:02:57.843907118 CET	80	49773	34.107.221.82	192.168.2.6
Nov 24, 2024 20:03:07.530119896 CET	49762	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:03:07.649667025 CET	80	49762	34.107.221.82	192.168.2.6
Nov 24, 2024 20:03:07.853127956 CET	49773	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:03:07.974535942 CET	80	49773	34.107.221.82	192.168.2.6
Nov 24, 2024 20:03:17.662410975 CET	49762	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:03:17.782793045 CET	80	49762	34.107.221.82	192.168.2.6
Nov 24, 2024 20:03:17.985433102 CET	49773	80	192.168.2.6	34.107.221.82
Nov 24, 2024 20:03:18.110034943 CET	80	49773	34.107.221.82	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 24, 2024 20:01:15.216778040 CET	60606	53	192.168.2.6	1.1.1.1
Nov 24, 2024 20:01:15.451766014 CET	53	60606	1.1.1.1	192.168.2.6
Nov 24, 2024 20:01:15.460416079 CET	57043	53	192.168.2.6	1.1.1.1
Nov 24, 2024 20:01:15.701076031 CET	53	57043	1.1.1.1	192.168.2.6
Nov 24, 2024 20:01:16.274188995 CET	58683	53	192.168.2.6	1.1.1.1
Nov 24, 2024 20:01:16.294758081 CET	57906	53	192.168.2.6	1.1.1.1
Nov 24, 2024 20:01:16.413840055 CET	53	58683	1.1.1.1	192.168.2.6
Nov 24, 2024 20:01:16.426999092 CET	49767	53	192.168.2.6	1.1.1.1
Nov 24, 2024 20:01:16.445631027 CET	57270	53	192.168.2.6	1.1.1.1
Nov 24, 2024 20:01:16.568048954 CET	53	49767	1.1.1.1	192.168.2.6
Nov 24, 2024 20:01:16.568744898 CET	62739	53	192.168.2.6	1.1.1.1
Nov 24, 2024 20:01:16.597105980 CET	53	57270	1.1.1.1	192.168.2.6
Nov 24, 2024 20:01:16.599432945 CET	50329	53	192.168.2.6	1.1.1.1
Nov 24, 2024 20:01:16.717560053 CET	53	62739	1.1.1.1	192.168.2.6
Nov 24, 2024 20:01:16.785219908 CET	53	50329	1.1.1.1	192.168.2.6
Nov 24, 2024 20:01:16.865422964 CET	50563	53	192.168.2.6	1.1.1.1
Nov 24, 2024 20:01:16.887063980 CET	65246	53	192.168.2.6	1.1.1.1
Nov 24, 2024 20:01:17.008167028 CET	53	50563	1.1.1.1	192.168.2.6
Nov 24, 2024 20:01:17.025852919 CET	53	65246	1.1.1.1	192.168.2.6
Nov 24, 2024 20:01:17.338212013 CET	49465	53	192.168.2.6	1.1.1.1
Nov 24, 2024 20:01:17.339118004 CET	63697	53	192.168.2.6	1.1.1.1
Nov 24, 2024 20:01:17.339396000 CET	62618	53	192.168.2.6	1.1.1.1
Nov 24, 2024 20:01:17.499423981 CET	53	62618	1.1.1.1	192.168.2.6
Nov 24, 2024 20:01:17.499588966 CET	53	63697	1.1.1.1	192.168.2.6
Nov 24, 2024 20:01:17.500277996 CET	59234	53	192.168.2.6	1.1.1.1
Nov 24, 2024 20:01:17.500380993 CET	52675	53	192.168.2.6	1.1.1.1
Nov 24, 2024 20:01:17.508608103 CET	53	49465	1.1.1.1	192.168.2.6
Nov 24, 2024 20:01:17.509202003 CET	60336	53	192.168.2.6	1.1.1.1
Nov 24, 2024 20:01:17.639780998 CET	53	52675	1.1.1.1	192.168.2.6
Nov 24, 2024 20:01:17.639796972 CET	53	59234	1.1.1.1	192.168.2.6
Nov 24, 2024 20:01:17.641165972 CET	64868	53	192.168.2.6	1.1.1.1
Nov 24, 2024 20:01:17.657186031 CET	53	60336	1.1.1.1	192.168.2.6
Nov 24, 2024 20:01:17.780715942 CET	59898	53	192.168.2.6	1.1.1.1
Nov 24, 2024 20:01:17.781296968 CET	53139	53	192.168.2.6	1.1.1.1
Nov 24, 2024 20:01:17.792576075 CET	53	64868	1.1.1.1	192.168.2.6
Nov 24, 2024 20:01:17.794380903 CET	57041	53	192.168.2.6	1.1.1.1
Nov 24, 2024 20:01:17.907645941 CET	59975	53	192.168.2.6	1.1.1.1
Nov 24, 2024 20:01:17.909226894 CET	55013	53	192.168.2.6	1.1.1.1
Nov 24, 2024 20:01:17.983040094 CET	53	53139	1.1.1.1	192.168.2.6
Nov 24, 2024 20:01:17.983073950 CET	53	57041	1.1.1.1	192.168.2.6
Nov 24, 2024 20:01:17.983372927 CET	53	59898	1.1.1.1	192.168.2.6
Nov 24, 2024 20:01:17.984209061 CET	50703	53	192.168.2.6	1.1.1.1
Nov 24, 2024 20:01:18.201574087 CET	53	50703	1.1.1.1	192.168.2.6
Nov 24, 2024 20:01:19.048741102 CET	53	52705	1.1.1.1	192.168.2.6
Nov 24, 2024 20:01:20.058744907 CET	54991	53	192.168.2.6	1.1.1.1
Nov 24, 2024 20:01:20.232681036 CET	53	54991	1.1.1.1	192.168.2.6
Nov 24, 2024 20:01:20.233993053 CET	56057	53	192.168.2.6	1.1.1.1
Nov 24, 2024 20:01:20.399991989 CET	53	56057	1.1.1.1	192.168.2.6
Nov 24, 2024 20:01:20.400686026 CET	63632	53	192.168.2.6	1.1.1.1
Nov 24, 2024 20:01:20.544835091 CET	53	63632	1.1.1.1	192.168.2.6
Nov 24, 2024 20:01:22.779006958 CET	61605	53	192.168.2.6	1.1.1.1
Nov 24, 2024 20:01:22.914211035 CET	61668	53	192.168.2.6	1.1.1.1
Nov 24, 2024 20:01:22.919919968 CET	61290	53	192.168.2.6	1.1.1.1
Nov 24, 2024 20:01:23.167965889 CET	53	61290	1.1.1.1	192.168.2.6
Nov 24, 2024 20:01:23.168982029 CET	53	61668	1.1.1.1	192.168.2.6
Nov 24, 2024 20:01:23.169038057 CET	53	61605	1.1.1.1	192.168.2.6
Nov 24, 2024 20:01:23.170428038 CET	65243	53	192.168.2.6	1.1.1.1
Nov 24, 2024 20:01:23.171093941 CET	51727	53	192.168.2.6	1.1.1.1
Nov 24, 2024 20:01:23.171904087 CET	62901	53	192.168.2.6	1.1.1.1
Nov 24, 2024 20:01:23.343485117 CET	53	65243	1.1.1.1	192.168.2.6
Nov 24, 2024 20:01:23.345402002 CET	53	62901	1.1.1.1	192.168.2.6
Nov 24, 2024 20:01:23.345690012 CET	54229	53	192.168.2.6	1.1.1.1
Nov 24, 2024 20:01:23.346139908 CET	53	51727	1.1.1.1	192.168.2.6
Nov 24, 2024 20:01:23.346307039 CET	61799	53	192.168.2.6	1.1.1.1
Nov 24, 2024 20:01:23.346744061 CET	63671	53	192.168.2.6	1.1.1.1
Nov 24, 2024 20:01:23.522222042 CET	53	63671	1.1.1.1	192.168.2.6
Nov 24, 2024 20:01:23.531636953 CET	53	61799	1.1.1.1	192.168.2.6
Nov 24, 2024 20:01:23.702210903 CET	53	54229	1.1.1.1	192.168.2.6
Nov 24, 2024 20:01:29.167957067 CET	60981	53	192.168.2.6	1.1.1.1
Nov 24, 2024 20:01:29.169353962 CET	57273	53	192.168.2.6	1.1.1.1
Nov 24, 2024 20:01:29.305165052 CET	53	60981	1.1.1.1	192.168.2.6
Nov 24, 2024 20:01:29.306376934 CET	53	57273	1.1.1.1	192.168.2.6
Nov 24, 2024 20:01:29.574738026 CET	59684	53	192.168.2.6	1.1.1.1
Nov 24, 2024 20:01:29.574800014 CET	52379	53	192.168.2.6	1.1.1.1
Nov 24, 2024 20:01:29.608608961 CET	55223	53	192.168.2.6	1.1.1.1
Nov 24, 2024 20:01:29.714891911 CET	53	59684	1.1.1.1	192.168.2.6
Nov 24, 2024 20:01:29.717391014 CET	53	52379	1.1.1.1	192.168.2.6
Nov 24, 2024 20:01:29.718406916 CET	57900	53	192.168.2.6	1.1.1.1
Nov 24, 2024 20:01:29.750358105 CET	53	55223	1.1.1.1	192.168.2.6
Nov 24, 2024 20:01:29.751560926 CET	49929	53	192.168.2.6	1.1.1.1
Nov 24, 2024 20:01:29.752208948 CET	61008	53	192.168.2.6	1.1.1.1
Nov 24, 2024 20:01:29.913284063 CET	53	49929	1.1.1.1	192.168.2.6
Nov 24, 2024 20:01:29.913667917 CET	53	61008	1.1.1.1	192.168.2.6
Nov 24, 2024 20:01:29.914103031 CET	55471	53	192.168.2.6	1.1.1.1
Nov 24, 2024 20:01:29.914273977 CET	55994	53	192.168.2.6	1.1.1.1
Nov 24, 2024 20:01:29.931583881 CET	53	57900	1.1.1.1	192.168.2.6
Nov 24, 2024 20:01:29.932519913 CET	58335	53	192.168.2.6	1.1.1.1
Nov 24, 2024 20:01:30.060401917 CET	53	55471	1.1.1.1	192.168.2.6
Nov 24, 2024 20:01:30.060448885 CET	53	55994	1.1.1.1	192.168.2.6
Nov 24, 2024 20:01:30.146188974 CET	53	58335	1.1.1.1	192.168.2.6
Nov 24, 2024 20:01:31.041784048 CET	55146	53	192.168.2.6	1.1.1.1
Nov 24, 2024 20:01:31.042701960 CET	61908	53	192.168.2.6	1.1.1.1
Nov 24, 2024 20:01:31.181173086 CET	53	55146	1.1.1.1	192.168.2.6
Nov 24, 2024 20:01:31.183018923 CET	53	61908	1.1.1.1	192.168.2.6
Nov 24, 2024 20:01:31.196296930 CET	63343	53	192.168.2.6	1.1.1.1
Nov 24, 2024 20:01:31.196320057 CET	63622	53	192.168.2.6	1.1.1.1
Nov 24, 2024 20:01:31.343027115 CET	53	63622	1.1.1.1	192.168.2.6
Nov 24, 2024 20:01:31.344260931 CET	51084	53	192.168.2.6	1.1.1.1
Nov 24, 2024 20:01:31.345480919 CET	53	63343	1.1.1.1	192.168.2.6
Nov 24, 2024 20:01:31.346189976 CET	55572	53	192.168.2.6	1.1.1.1
Nov 24, 2024 20:01:31.522639036 CET	53	51084	1.1.1.1	192.168.2.6
Nov 24, 2024 20:01:31.584660053 CET	53	55572	1.1.1.1	192.168.2.6
Nov 24, 2024 20:01:41.385775089 CET	59776	53	192.168.2.6	1.1.1.1
Nov 24, 2024 20:01:41.524458885 CET	53	59776	1.1.1.1	192.168.2.6
Nov 24, 2024 20:01:42.607773066 CET	53760	53	192.168.2.6	1.1.1.1
Nov 24, 2024 20:01:42.948348045 CET	56918	53	192.168.2.6	1.1.1.1
Nov 24, 2024 20:01:43.828784943 CET	64696	53	192.168.2.6	1.1.1.1
Nov 24, 2024 20:01:43.866348028 CET	62378	53	192.168.2.6	1.1.1.1
Nov 24, 2024 20:01:44.051167965 CET	53	64696	1.1.1.1	192.168.2.6
Nov 24, 2024 20:01:44.052809000 CET	65485	53	192.168.2.6	1.1.1.1
Nov 24, 2024 20:01:44.198337078 CET	53	65485	1.1.1.1	192.168.2.6
Nov 24, 2024 20:01:44.199346066 CET	61681	53	192.168.2.6	1.1.1.1
Nov 24, 2024 20:01:44.208342075 CET	53	62378	1.1.1.1	192.168.2.6
Nov 24, 2024 20:01:44.209923029 CET	52140	53	192.168.2.6	1.1.1.1
Nov 24, 2024 20:01:44.265476942 CET	54022	53	192.168.2.6	1.1.1.1
Nov 24, 2024 20:01:44.486589909 CET	53	52140	1.1.1.1	192.168.2.6
Nov 24, 2024 20:01:44.487647057 CET	53	61681	1.1.1.1	192.168.2.6
Nov 24, 2024 20:01:44.487643957 CET	53563	53	192.168.2.6	1.1.1.1
Nov 24, 2024 20:01:44.530214071 CET	53	54022	1.1.1.1	192.168.2.6
Nov 24, 2024 20:01:44.625860929 CET	53	53563	1.1.1.1	192.168.2.6
Nov 24, 2024 20:01:45.102880001 CET	52002	53	192.168.2.6	1.1.1.1
Nov 24, 2024 20:01:45.263425112 CET	57569	53	192.168.2.6	1.1.1.1
Nov 24, 2024 20:01:45.452370882 CET	63585	53	192.168.2.6	1.1.1.1
Nov 24, 2024 20:01:45.595616102 CET	52331	53	192.168.2.6	1.1.1.1
Nov 24, 2024 20:02:02.861809015 CET	64236	53	192.168.2.6	1.1.1.1
Nov 24, 2024 20:02:03.007081032 CET	53	64236	1.1.1.1	192.168.2.6
Nov 24, 2024 20:02:03.008452892 CET	61560	53	192.168.2.6	1.1.1.1
Nov 24, 2024 20:02:03.149460077 CET	53	61560	1.1.1.1	192.168.2.6
Nov 24, 2024 20:02:14.615510941 CET	63636	53	192.168.2.6	1.1.1.1
Nov 24, 2024 20:02:14.753887892 CET	53	63636	1.1.1.1	192.168.2.6
Nov 24, 2024 20:02:45.595046043 CET	57546	53	192.168.2.6	1.1.1.1
Nov 24, 2024 20:02:45.906105995 CET	57546	53	192.168.2.6	1.1.1.1
Nov 24, 2024 20:02:45.926258087 CET	53	57546	1.1.1.1	192.168.2.6
Nov 24, 2024 20:02:46.043956995 CET	53	57546	1.1.1.1	192.168.2.6
Nov 24, 2024 20:02:47.052056074 CET	57632	53	192.168.2.6	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 24, 2024 20:01:15.216778040 CET	192.168.2.6	1.1.1.1	0x2524	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:15.460416079 CET	192.168.2.6	1.1.1.1	0x8793	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 24, 2024 20:01:16.274188995 CET	192.168.2.6	1.1.1.1	0x69ee	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:16.294758081 CET	192.168.2.6	1.1.1.1	0x6762	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:16.426999092 CET	192.168.2.6	1.1.1.1	0x9be9	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:16.445631027 CET	192.168.2.6	1.1.1.1	0x7f23	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:16.568744898 CET	192.168.2.6	1.1.1.1	0x49c5	Standard query (0)	youtube.com	28	IN (0x0001)	false
Nov 24, 2024 20:01:16.599432945 CET	192.168.2.6	1.1.1.1	0x5830	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 24, 2024 20:01:16.865422964 CET	192.168.2.6	1.1.1.1	0x29a	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:16.887063980 CET	192.168.2.6	1.1.1.1	0xf00	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:17.338212013 CET	192.168.2.6	1.1.1.1	0x9d3f	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:17.339118004 CET	192.168.2.6	1.1.1.1	0xd51a	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:17.339396000 CET	192.168.2.6	1.1.1.1	0xeb4d	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:17.500277996 CET	192.168.2.6	1.1.1.1	0x72a1	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 24, 2024 20:01:17.500380993 CET	192.168.2.6	1.1.1.1	0x65ba	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 20:01:17.509202003 CET	192.168.2.6	1.1.1.1	0x6bb2	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 24, 2024 20:01:17.641165972 CET	192.168.2.6	1.1.1.1	0x8c9f	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:17.780715942 CET	192.168.2.6	1.1.1.1	0x7b6d	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:17.781296968 CET	192.168.2.6	1.1.1.1	0x8dba	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:17.794380903 CET	192.168.2.6	1.1.1.1	0x797	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:17.907645941 CET	192.168.2.6	1.1.1.1	0x2e45	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:17.909226894 CET	192.168.2.6	1.1.1.1	0x1bb5	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:17.984209061 CET	192.168.2.6	1.1.1.1	0x571b	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 24, 2024 20:01:20.058744907 CET	192.168.2.6	1.1.1.1	0x71bc	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:20.233993053 CET	192.168.2.6	1.1.1.1	0x5c07	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:20.400686026 CET	192.168.2.6	1.1.1.1	0xf3f4	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 20:01:22.779006958 CET	192.168.2.6	1.1.1.1	0x4bc7	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:22.914211035 CET	192.168.2.6	1.1.1.1	0xcf68	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 24, 2024 20:01:22.919919968 CET	192.168.2.6	1.1.1.1	0x63a1	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:23.170428038 CET	192.168.2.6	1.1.1.1	0x7787	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:23.171093941 CET	192.168.2.6	1.1.1.1	0xadec	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:23.171904087 CET	192.168.2.6	1.1.1.1	0xa191	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:23.345690012 CET	192.168.2.6	1.1.1.1	0x5ed9	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 24, 2024 20:01:23.346307039 CET	192.168.2.6	1.1.1.1	0x33cd	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 24, 2024 20:01:23.346744061 CET	192.168.2.6	1.1.1.1	0xd67e	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 20:01:29.167957067 CET	192.168.2.6	1.1.1.1	0xfede	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 20:01:29.169353962 CET	192.168.2.6	1.1.1.1	0xdbd8	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 20:01:29.574738026 CET	192.168.2.6	1.1.1.1	0x8580	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:29.574800014 CET	192.168.2.6	1.1.1.1	0x3b8	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:29.608608961 CET	192.168.2.6	1.1.1.1	0xc639	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:29.718406916 CET	192.168.2.6	1.1.1.1	0x6331	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:29.751560926 CET	192.168.2.6	1.1.1.1	0xcb12	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:29.752208948 CET	192.168.2.6	1.1.1.1	0x3329	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:29.914103031 CET	192.168.2.6	1.1.1.1	0xb3ba	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Nov 24, 2024 20:01:29.914273977 CET	192.168.2.6	1.1.1.1	0x7ab3	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Nov 24, 2024 20:01:29.932519913 CET	192.168.2.6	1.1.1.1	0x9c2	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Nov 24, 2024 20:01:31.041784048 CET	192.168.2.6	1.1.1.1	0x8930	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:31.042701960 CET	192.168.2.6	1.1.1.1	0xcdcb	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:31.196296930 CET	192.168.2.6	1.1.1.1	0xd505	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:31.196320057 CET	192.168.2.6	1.1.1.1	0x2c4	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:31.344260931 CET	192.168.2.6	1.1.1.1	0x3679	Standard query (0)	twitter.com	28	IN (0x0001)	false
Nov 24, 2024 20:01:31.346189976 CET	192.168.2.6	1.1.1.1	0x8363	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Nov 24, 2024 20:01:41.385775089 CET	192.168.2.6	1.1.1.1	0x75b3	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 20:01:42.607773066 CET	192.168.2.6	1.1.1.1	0x5e77	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:42.948348045 CET	192.168.2.6	1.1.1.1	0x3100	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:43.828784943 CET	192.168.2.6	1.1.1.1	0xd894	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:43.866348028 CET	192.168.2.6	1.1.1.1	0x731a	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:44.052809000 CET	192.168.2.6	1.1.1.1	0x57d1	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:44.199346066 CET	192.168.2.6	1.1.1.1	0xca24	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Nov 24, 2024 20:01:44.209923029 CET	192.168.2.6	1.1.1.1	0xe3c9	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:44.265476942 CET	192.168.2.6	1.1.1.1	0x972	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 24, 2024 20:01:44.487643957 CET	192.168.2.6	1.1.1.1	0x7bf4	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 20:01:45.102880001 CET	192.168.2.6	1.1.1.1	0x9e23	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:45.263425112 CET	192.168.2.6	1.1.1.1	0xf874	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:45.452370882 CET	192.168.2.6	1.1.1.1	0xf2ee	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:45.595616102 CET	192.168.2.6	1.1.1.1	0x5167	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:02:02.861809015 CET	192.168.2.6	1.1.1.1	0x6bef	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:02:03.008452892 CET	192.168.2.6	1.1.1.1	0xdbc1	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 20:02:14.615510941 CET	192.168.2.6	1.1.1.1	0x315e	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 20:02:45.595046043 CET	192.168.2.6	1.1.1.1	0x46e	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 20:02:45.906105995 CET	192.168.2.6	1.1.1.1	0x46e	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 20:02:47.052056074 CET	192.168.2.6	1.1.1.1	0x2584	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 24, 2024 20:01:15.176703930 CET	1.1.1.1	192.168.2.6	0x9f60	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:15.451766014 CET	1.1.1.1	192.168.2.6	0x2524	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:16.413840055 CET	1.1.1.1	192.168.2.6	0x69ee	No error (0)	youtube.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:16.433902979 CET	1.1.1.1	192.168.2.6	0x6762	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 20:01:16.433902979 CET	1.1.1.1	192.168.2.6	0x6762	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:16.568048954 CET	1.1.1.1	192.168.2.6	0x9be9	No error (0)	youtube.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:16.597105980 CET	1.1.1.1	192.168.2.6	0x7f23	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:16.717560053 CET	1.1.1.1	192.168.2.6	0x49c5	No error (0)	youtube.com			28	IN (0x0001)	false
Nov 24, 2024 20:01:16.785219908 CET	1.1.1.1	192.168.2.6	0x5830	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Nov 24, 2024 20:01:17.002855062 CET	1.1.1.1	192.168.2.6	0xb6fe	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 20:01:17.002855062 CET	1.1.1.1	192.168.2.6	0xb6fe	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:17.008167028 CET	1.1.1.1	192.168.2.6	0x29a	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:17.025852919 CET	1.1.1.1	192.168.2.6	0xf00	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 20:01:17.025852919 CET	1.1.1.1	192.168.2.6	0xf00	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:17.499423981 CET	1.1.1.1	192.168.2.6	0xeb4d	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:17.499588966 CET	1.1.1.1	192.168.2.6	0xd51a	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:17.508608103 CET	1.1.1.1	192.168.2.6	0x9d3f	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:17.792576075 CET	1.1.1.1	192.168.2.6	0x8c9f	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 20:01:17.792576075 CET	1.1.1.1	192.168.2.6	0x8c9f	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 20:01:17.792576075 CET	1.1.1.1	192.168.2.6	0x8c9f	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:17.983040094 CET	1.1.1.1	192.168.2.6	0x8dba	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:17.983040094 CET	1.1.1.1	192.168.2.6	0x8dba	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:17.983073950 CET	1.1.1.1	192.168.2.6	0x797	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:17.983372927 CET	1.1.1.1	192.168.2.6	0x7b6d	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:18.200555086 CET	1.1.1.1	192.168.2.6	0x1bb5	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 20:01:18.200555086 CET	1.1.1.1	192.168.2.6	0x1bb5	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:18.201574087 CET	1.1.1.1	192.168.2.6	0x571b	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Nov 24, 2024 20:01:18.440732002 CET	1.1.1.1	192.168.2.6	0x2e45	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 20:01:20.232681036 CET	1.1.1.1	192.168.2.6	0x71bc	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:20.399991989 CET	1.1.1.1	192.168.2.6	0x5c07	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:23.167778015 CET	1.1.1.1	192.168.2.6	0x91a9	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 20:01:23.167778015 CET	1.1.1.1	192.168.2.6	0x91a9	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:23.167922974 CET	1.1.1.1	192.168.2.6	0xae77	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:23.167965889 CET	1.1.1.1	192.168.2.6	0x63a1	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 20:01:23.167965889 CET	1.1.1.1	192.168.2.6	0x63a1	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:23.169038057 CET	1.1.1.1	192.168.2.6	0x4bc7	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 20:01:23.169038057 CET	1.1.1.1	192.168.2.6	0x4bc7	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 20:01:23.169038057 CET	1.1.1.1	192.168.2.6	0x4bc7	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:23.343485117 CET	1.1.1.1	192.168.2.6	0x7787	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:23.345402002 CET	1.1.1.1	192.168.2.6	0xa191	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:23.346139908 CET	1.1.1.1	192.168.2.6	0xadec	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:27.038820028 CET	1.1.1.1	192.168.2.6	0xfe77	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:29.714891911 CET	1.1.1.1	192.168.2.6	0x8580	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 20:01:29.714891911 CET	1.1.1.1	192.168.2.6	0x8580	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:29.714891911 CET	1.1.1.1	192.168.2.6	0x8580	No error (0)	youtube-ui.l.google.com		216.58.208.238	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:29.714891911 CET	1.1.1.1	192.168.2.6	0x8580	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:29.714891911 CET	1.1.1.1	192.168.2.6	0x8580	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:29.714891911 CET	1.1.1.1	192.168.2.6	0x8580	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:29.714891911 CET	1.1.1.1	192.168.2.6	0x8580	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:29.714891911 CET	1.1.1.1	192.168.2.6	0x8580	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:29.714891911 CET	1.1.1.1	192.168.2.6	0x8580	No error (0)	youtube-ui.l.google.com		172.217.19.14	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:29.714891911 CET	1.1.1.1	192.168.2.6	0x8580	No error (0)	youtube-ui.l.google.com		172.217.19.174	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:29.714891911 CET	1.1.1.1	192.168.2.6	0x8580	No error (0)	youtube-ui.l.google.com		142.250.181.14	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:29.714891911 CET	1.1.1.1	192.168.2.6	0x8580	No error (0)	youtube-ui.l.google.com		172.217.21.46	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:29.717391014 CET	1.1.1.1	192.168.2.6	0x3b8	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 20:01:29.717391014 CET	1.1.1.1	192.168.2.6	0x3b8	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:29.750358105 CET	1.1.1.1	192.168.2.6	0xc639	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 20:01:29.750358105 CET	1.1.1.1	192.168.2.6	0xc639	No error (0)	star-mini.c10r.facebook.com		157.240.196.35	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:29.913284063 CET	1.1.1.1	192.168.2.6	0xcb12	No error (0)	star-mini.c10r.facebook.com		157.240.196.35	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:29.913667917 CET	1.1.1.1	192.168.2.6	0x3329	No error (0)	youtube-ui.l.google.com		142.250.181.46	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:29.913667917 CET	1.1.1.1	192.168.2.6	0x3329	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:29.913667917 CET	1.1.1.1	192.168.2.6	0x3329	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:29.913667917 CET	1.1.1.1	192.168.2.6	0x3329	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:29.913667917 CET	1.1.1.1	192.168.2.6	0x3329	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:29.913667917 CET	1.1.1.1	192.168.2.6	0x3329	No error (0)	youtube-ui.l.google.com		172.217.21.46	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:29.913667917 CET	1.1.1.1	192.168.2.6	0x3329	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:29.913667917 CET	1.1.1.1	192.168.2.6	0x3329	No error (0)	youtube-ui.l.google.com		216.58.208.238	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:29.913667917 CET	1.1.1.1	192.168.2.6	0x3329	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:29.913667917 CET	1.1.1.1	192.168.2.6	0x3329	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:29.931583881 CET	1.1.1.1	192.168.2.6	0x6331	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:30.060401917 CET	1.1.1.1	192.168.2.6	0xb3ba	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Nov 24, 2024 20:01:30.060448885 CET	1.1.1.1	192.168.2.6	0x7ab3	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 24, 2024 20:01:30.060448885 CET	1.1.1.1	192.168.2.6	0x7ab3	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 24, 2024 20:01:30.060448885 CET	1.1.1.1	192.168.2.6	0x7ab3	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 24, 2024 20:01:30.060448885 CET	1.1.1.1	192.168.2.6	0x7ab3	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 24, 2024 20:01:30.146188974 CET	1.1.1.1	192.168.2.6	0x9c2	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Nov 24, 2024 20:01:31.181173086 CET	1.1.1.1	192.168.2.6	0x8930	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 20:01:31.181173086 CET	1.1.1.1	192.168.2.6	0x8930	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:31.181173086 CET	1.1.1.1	192.168.2.6	0x8930	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:31.181173086 CET	1.1.1.1	192.168.2.6	0x8930	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:31.181173086 CET	1.1.1.1	192.168.2.6	0x8930	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:31.183018923 CET	1.1.1.1	192.168.2.6	0xcdcb	No error (0)	twitter.com		104.244.42.129	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:31.183018923 CET	1.1.1.1	192.168.2.6	0xcdcb	No error (0)	twitter.com		104.244.42.193	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:31.183018923 CET	1.1.1.1	192.168.2.6	0xcdcb	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:31.183018923 CET	1.1.1.1	192.168.2.6	0xcdcb	No error (0)	twitter.com		104.244.42.1	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:31.343027115 CET	1.1.1.1	192.168.2.6	0x2c4	No error (0)	twitter.com		104.244.42.129	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:31.345480919 CET	1.1.1.1	192.168.2.6	0xd505	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:31.345480919 CET	1.1.1.1	192.168.2.6	0xd505	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:31.345480919 CET	1.1.1.1	192.168.2.6	0xd505	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:31.345480919 CET	1.1.1.1	192.168.2.6	0xd505	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:42.758704901 CET	1.1.1.1	192.168.2.6	0x5e77	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 20:01:42.758704901 CET	1.1.1.1	192.168.2.6	0x5e77	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:43.093368053 CET	1.1.1.1	192.168.2.6	0x3100	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 20:01:43.093368053 CET	1.1.1.1	192.168.2.6	0x3100	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:44.051167965 CET	1.1.1.1	192.168.2.6	0xd894	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:44.051167965 CET	1.1.1.1	192.168.2.6	0xd894	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:44.051167965 CET	1.1.1.1	192.168.2.6	0xd894	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:44.051167965 CET	1.1.1.1	192.168.2.6	0xd894	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:44.198337078 CET	1.1.1.1	192.168.2.6	0x57d1	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:44.198337078 CET	1.1.1.1	192.168.2.6	0x57d1	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:44.198337078 CET	1.1.1.1	192.168.2.6	0x57d1	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:44.198337078 CET	1.1.1.1	192.168.2.6	0x57d1	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:44.208342075 CET	1.1.1.1	192.168.2.6	0x731a	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 20:01:44.208342075 CET	1.1.1.1	192.168.2.6	0x731a	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:44.263959885 CET	1.1.1.1	192.168.2.6	0xb654	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 20:01:44.263959885 CET	1.1.1.1	192.168.2.6	0xb654	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:44.486589909 CET	1.1.1.1	192.168.2.6	0xe3c9	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:44.487647057 CET	1.1.1.1	192.168.2.6	0xca24	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 24, 2024 20:01:44.487647057 CET	1.1.1.1	192.168.2.6	0xca24	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 24, 2024 20:01:44.487647057 CET	1.1.1.1	192.168.2.6	0xca24	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 24, 2024 20:01:44.487647057 CET	1.1.1.1	192.168.2.6	0xca24	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 24, 2024 20:01:45.262276888 CET	1.1.1.1	192.168.2.6	0x9e23	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 20:01:45.262276888 CET	1.1.1.1	192.168.2.6	0x9e23	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:45.408114910 CET	1.1.1.1	192.168.2.6	0xf874	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 20:01:45.408114910 CET	1.1.1.1	192.168.2.6	0xf874	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:45.594177008 CET	1.1.1.1	192.168.2.6	0xf2ee	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 20:01:45.594177008 CET	1.1.1.1	192.168.2.6	0xf2ee	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:46.081594944 CET	1.1.1.1	192.168.2.6	0x5167	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 20:01:46.081594944 CET	1.1.1.1	192.168.2.6	0x5167	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:47.207957983 CET	1.1.1.1	192.168.2.6	0x7b2d	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 20:01:47.207957983 CET	1.1.1.1	192.168.2.6	0x7b2d	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 20:01:56.602873087 CET	1.1.1.1	192.168.2.6	0xbc58	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:01:56.602873087 CET	1.1.1.1	192.168.2.6	0xbc58	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:02:03.007081032 CET	1.1.1.1	192.168.2.6	0x6bef	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:02:14.609236956 CET	1.1.1.1	192.168.2.6	0x27c3	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 24, 2024 20:02:47.199167013 CET	1.1.1.1	192.168.2.6	0x2584	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 20:02:47.199167013 CET	1.1.1.1	192.168.2.6	0x2584	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49743	34.107.221.82	80	2620	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 20:01:16.569736958 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 20:01:17.769629002 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 24 Nov 2024 08:19:57 GMT Age: 38480 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49751	34.107.221.82	80	2620	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 20:01:18.375005960 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 20:01:19.725667000 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 19:39:57 GMT Age: 84082 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49762	34.107.221.82	80	2620	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 20:01:19.924010038 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 20:01:21.103929043 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 24 Nov 2024 08:19:57 GMT Age: 38483 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 20:01:22.833008051 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 20:01:23.353903055 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 24 Nov 2024 08:19:57 GMT Age: 38486 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 20:01:26.897485018 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 20:01:27.221592903 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 24 Nov 2024 08:19:57 GMT Age: 38490 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 20:01:29.156270981 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 20:01:29.480185986 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 24 Nov 2024 08:19:57 GMT Age: 38492 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 20:01:31.250386000 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 20:01:31.579802036 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 24 Nov 2024 08:19:57 GMT Age: 38494 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 20:01:41.594235897 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 20:01:42.607454062 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 20:01:42.945031881 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 24 Nov 2024 08:19:57 GMT Age: 38505 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 20:01:45.102524042 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 20:01:45.448493004 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 24 Nov 2024 08:19:57 GMT Age: 38508 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 20:01:45.617621899 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 20:01:45.945647955 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 24 Nov 2024 08:19:57 GMT Age: 38508 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 20:01:46.525428057 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 20:01:46.850507021 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 24 Nov 2024 08:19:57 GMT Age: 38509 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 20:01:46.899000883 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 20:01:47.239949942 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 24 Nov 2024 08:19:57 GMT Age: 38510 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 20:01:57.242753983 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 20:02:01.891870975 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 20:02:02.332653046 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 24 Nov 2024 08:19:57 GMT Age: 38525 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 20:02:04.339956045 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 20:02:04.682014942 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 24 Nov 2024 08:19:57 GMT Age: 38527 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 20:02:14.693492889 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 20:02:15.850084066 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 20:02:16.178786039 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 24 Nov 2024 08:19:57 GMT Age: 38539 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 20:02:17.067884922 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 20:02:17.399296045 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 24 Nov 2024 08:19:57 GMT Age: 38540 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 20:02:27.408752918 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 20:02:37.529649019 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 20:02:47.051755905 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 20:02:47.379795074 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 24 Nov 2024 08:19:57 GMT Age: 38570 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 20:02:57.385919094 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 20:03:07.530119896 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 20:03:17.662410975 CET	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49773	34.107.221.82	80	2620	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 20:01:23.150325060 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 20:01:24.360054016 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 23:39:07 GMT Age: 69737 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 20:01:26.881889105 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 20:01:27.214942932 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 23:39:07 GMT Age: 69740 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 20:01:28.863725901 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 20:01:29.217617035 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 23:39:07 GMT Age: 69742 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 20:01:29.546951056 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 20:01:29.880883932 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 23:39:07 GMT Age: 69742 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 20:01:34.860956907 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 20:01:35.201546907 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 23:39:07 GMT Age: 69748 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 20:01:42.948769093 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 20:01:43.310586929 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 23:39:07 GMT Age: 69756 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 20:01:45.452120066 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 20:01:45.788921118 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 23:39:07 GMT Age: 69758 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 20:01:45.951977968 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 20:01:46.290221930 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 23:39:07 GMT Age: 69759 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 20:01:46.853858948 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 20:01:47.239042997 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 23:39:07 GMT Age: 69760 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 20:01:47.243344069 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 20:01:47.906980038 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 23:39:07 GMT Age: 69760 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 20:01:57.922597885 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 20:02:02.336829901 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 20:02:02.700146914 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 23:39:07 GMT Age: 69775 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 20:02:04.685190916 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 20:02:05.028426886 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 23:39:07 GMT Age: 69777 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 20:02:15.041256905 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 20:02:16.182261944 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 20:02:16.520709038 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 23:39:07 GMT Age: 69789 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 20:02:17.405164003 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 20:02:17.738162994 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 23:39:07 GMT Age: 69790 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 20:02:27.748132944 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 20:02:37.877415895 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 20:02:47.383681059 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 20:02:47.717154026 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 23:39:07 GMT Age: 69820 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 20:02:57.724136114 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 20:03:07.853127956 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 20:03:17.985433102 CET	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	1
Start time:	14:01:08
Start date:	24/11/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x740000
File size:	922'112 bytes
MD5 hash:	667BF6CD0B76DD2DC3C2E66827A1C44A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	14:01:08
Start date:	24/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0x320000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	14:01:08
Start date:	24/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	14:01:10
Start date:	24/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0x320000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	14:01:10
Start date:	24/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	14:01:10
Start date:	24/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0x320000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	14:01:10
Start date:	24/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	14:01:10
Start date:	24/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0x320000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	14:01:10
Start date:	24/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	14:01:11
Start date:	24/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0x320000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	14:01:11
Start date:	24/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	14:01:11
Start date:	24/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	14:01:11
Start date:	24/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	14:01:11
Start date:	24/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	14:01:12
Start date:	24/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2224 -prefsLen 25250 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dbbe2a04-7c6c-4cf1-adf6-02c1116bb12a} 2620 "\\.\pipe\gecko-crash-server-pipe.2620" 1c1dca6e910 socket
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	19
Start time:	14:01:13
Start date:	24/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4084 -parentBuildID 20230927232528 -prefsHandle 4020 -prefMapHandle 4016 -prefsLen 26034 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ebb25158-9067-45c3-bf13-1f107f0bed4f} 2620 "\\.\pipe\gecko-crash-server-pipe.2620" 1c1dca7e710 rdd
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	21
Start time:	14:01:21
Start date:	24/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5144 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5148 -prefMapHandle 5072 -prefsLen 33076 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {82f16e16-aaa8-4ef6-9529-5cc90aed65e2} 2620 "\\.\pipe\gecko-crash-server-pipe.2620" 1c1f51b9510 utility
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.7%
Total number of Nodes:	1525
Total number of Limit Nodes:	48

Executed Functions

Function 007442DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0074430D

Part of subcall function 00746B57: _wcslen.LIBCMT ref: 00746B6A

GetCurrentProcess.KERNEL32(?,007DCB64,00000000,?,?), ref: 00744422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00744429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00744454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00744466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00744474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0074447B
GetSystemInfo.KERNEL32(?,?,?), ref: 007444A0

Strings

|O, xrefs: 007836F8
kernel32.dll, xrefs: 0074444F
GetNativeSystemInfo, xrefs: 00744460

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 933994b0e9f4cf6b2e342bbdb404367c010c125b2c7e8f3116e2e96522ead5fa
Instruction ID: 996b0fff955ba935e29db7a257a73b221d98ec6e40b3aa52e483147aa4ffaa49
Opcode Fuzzy Hash: 933994b0e9f4cf6b2e342bbdb404367c010c125b2c7e8f3116e2e96522ead5fa
Instruction Fuzzy Hash: D8A1946190A2D0DFCF12D76D7C8D3DA7FAC7F26700B18C49AD26193B6AD62C4508DB26

Function 007442A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,007450AA,?,?,00000000,00000000), ref: 007442B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,007450AA,?,?,00000000,00000000), ref: 007442C9
LoadResource.KERNEL32(?,00000000,?,?,007450AA,?,?,00000000,00000000,?,?,?,?,?,?,00744F20), ref: 007835BE
SizeofResource.KERNEL32(?,00000000,?,?,007450AA,?,?,00000000,00000000,?,?,?,?,?,?,00744F20), ref: 007835D3
LockResource.KERNEL32(007450AA,?,?,007450AA,?,?,00000000,00000000,?,?,?,?,?,?,00744F20,?), ref: 007835E6

Strings

SCRIPT, xrefs: 007442BF

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 4ff808bd970047b01b7f24543cd5e2885064a179f9b33ba2500accdafc60ea5a
Instruction ID: 21f856563ebc288fca603f8b3447c85141aa3da20bbccc3f728858510e24bd31
Opcode Fuzzy Hash: 4ff808bd970047b01b7f24543cd5e2885064a179f9b33ba2500accdafc60ea5a
Instruction Fuzzy Hash: 4A117CB1201701BFDB228BA5DC49F277BB9FBC5B51F10816EB41296290DBB5E800D620

Function 00782BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00742B6B

Part of subcall function 00743A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00811418,?,00742E7F,?,?,?,00000000), ref: 00743A78

Part of subcall function 00749CB3: _wcslen.LIBCMT ref: 00749CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00802224), ref: 00782C10
ShellExecuteW.SHELL32(00000000,?,?,00802224), ref: 00782C17

Strings

runas, xrefs: 00782C0B

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: ba6901514be3c5c392317ea5cdfccfacf2710969f35dff5f07ce4ff84b3e7127
Instruction ID: 388df138fe348c483c0666af29da08cc36f60e4c4f117b66c06c87b2bc2f1f5f
Opcode Fuzzy Hash: ba6901514be3c5c392317ea5cdfccfacf2710969f35dff5f07ce4ff84b3e7127
Instruction Fuzzy Hash: CE11E471208341EACB04FF60D85D9AEBBA9EF91710F44442DF28A420A3DF3C894AC722

Function 007AD4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 007AD501
Process32FirstW.KERNEL32(00000000,?), ref: 007AD50F
Process32NextW.KERNEL32(00000000,?), ref: 007AD52F
CloseHandle.KERNELBASE(00000000), ref: 007AD5DC

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: ba51cb45d15bd588a6d4dbca90ca492f822c573739cde9c251cca0e6c0562af5
Instruction ID: d75771f8e62fcd82ac198559971249df8ebb1332659047c86f7212f2d6cc0516
Opcode Fuzzy Hash: ba51cb45d15bd588a6d4dbca90ca492f822c573739cde9c251cca0e6c0562af5
Instruction Fuzzy Hash: 93319372108301DFD311EF54C885AAFBBF8EFD9354F14052DF582861A2EB759944CBA2

Function 007ADBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,00785222), ref: 007ADBCE
GetFileAttributesW.KERNELBASE(?), ref: 007ADBDD
FindFirstFileW.KERNEL32(?,?), ref: 007ADBEE
FindClose.KERNEL32(00000000), ref: 007ADBFA

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 9418e03cfbbdc3b9c339659b59d5999d674bdcdbb9cf5498999a84806f0a2681
Instruction ID: 41a63cb297115be55f25bff255d3fcd0963f0c0be6925e84472af5a7a18b1b08
Opcode Fuzzy Hash: 9418e03cfbbdc3b9c339659b59d5999d674bdcdbb9cf5498999a84806f0a2681
Instruction Fuzzy Hash: C0F0A0308119255B92316B78AC0D8AA377CAE82334F908713F876D24E0EBBC6D54C6A9

Function 00764CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(007728E9,?,00764CBE,007728E9,008088B8,0000000C,00764E15,007728E9,00000002,00000000,?,007728E9), ref: 00764D09
TerminateProcess.KERNEL32(00000000,?,00764CBE,007728E9,008088B8,0000000C,00764E15,007728E9,00000002,00000000,?,007728E9), ref: 00764D10
ExitProcess.KERNEL32 ref: 00764D22

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: a7439cfefdb3bc8d0f751962913ca22eb93d8d097e0fab2ed62e206cf8d840d6
Instruction ID: d4ecd8acd8394b4dc21dee753dfcb7a46f9b559fc4375f86df191f915fdeb928
Opcode Fuzzy Hash: a7439cfefdb3bc8d0f751962913ca22eb93d8d097e0fab2ed62e206cf8d840d6
Instruction Fuzzy Hash: 8FE0B631501549ABCF12AF64DD09A583B79EB41781F108015FD0A9B122CB3DDD42DA84

Function 007CAFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 007CB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 007CB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 007CB1D4
_wcslen.LIBCMT ref: 007CB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 007CB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 007CB236
_wcslen.LIBCMT ref: 007CB332

Part of subcall function 007B05A7: GetStdHandle.KERNEL32(000000F6), ref: 007B05C6

_wcslen.LIBCMT ref: 007CB34B
_wcslen.LIBCMT ref: 007CB366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 007CB3B6
GetLastError.KERNEL32(00000000), ref: 007CB407
CloseHandle.KERNEL32(?), ref: 007CB439
CloseHandle.KERNEL32(00000000), ref: 007CB44A
CloseHandle.KERNEL32(00000000), ref: 007CB45C
CloseHandle.KERNEL32(00000000), ref: 007CB46E
CloseHandle.KERNEL32(?), ref: 007CB4E3

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 12244b0e61c4b75655e5c3adfc1c90974ede0410f84f9ee36d62566dedcaa1a0
Instruction ID: 6fa953a0819d152560c56b394fd52ef547c9adcd1df148acf2919ce2fd4eb92d
Opcode Fuzzy Hash: 12244b0e61c4b75655e5c3adfc1c90974ede0410f84f9ee36d62566dedcaa1a0
Instruction Fuzzy Hash: 83F18A31608340DFC715EF24C886B6EBBE5AF85310F14895DF8999B2A2CB39EC44CB52

Function 0074D730 Relevance: 21.6, APIs: 14, Instructions: 631sleepsynchronizationtimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0074D807
timeGetTime.WINMM ref: 0074DA07
Sleep.KERNELBASE(0000000A), ref: 0074DBB1
Sleep.KERNEL32(0000000A), ref: 00792B76
GetExitCodeProcess.KERNEL32(?,?), ref: 00792C11
WaitForSingleObject.KERNEL32(?,00000000), ref: 00792C29
CloseHandle.KERNEL32(?), ref: 00792C3D
Sleep.KERNEL32(?,CCCCCCCC,00000000), ref: 00792CA9

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Sleep$CloseCodeExitHandleInputObjectProcessSingleStateTimeWaittime
String ID:
API String ID: 388478766-0
Opcode ID: 6e30ad448bcf8ee6b5fd4e55578eb5aa38ad64a20617e0b59640da0e49d3541f
Instruction ID: 0ea7f8632107156e0b2856169b407f5809718c789e8fb56e4d0e44b49654e2c5
Opcode Fuzzy Hash: 6e30ad448bcf8ee6b5fd4e55578eb5aa38ad64a20617e0b59640da0e49d3541f
Instruction Fuzzy Hash: F0420270604242EFDB39DF24D888BAAB7E5FF46304F148519E89587292D77CEC45CB92

Function 00742CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00742D07
RegisterClassExW.USER32(00000030), ref: 00742D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00742D42
InitCommonControlsEx.COMCTL32(?), ref: 00742D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00742D6F
LoadIconW.USER32(000000A9), ref: 00742D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00742D94

Strings

AutoIt v3 GUI, xrefs: 00742D23
0, xrefs: 00742CE9
+, xrefs: 00742CF0
TaskbarCreated, xrefs: 00742D37

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 8f57f30f07a22dc5a0d256e6ca72f2a4ed74876a1a31d1d6489fe1ac241a85b2
Instruction ID: 07117b1c4bd8a4ee31a12afc8a5b453477b561f7df4a0c5ac4ab4821e5edd0e6
Opcode Fuzzy Hash: 8f57f30f07a22dc5a0d256e6ca72f2a4ed74876a1a31d1d6489fe1ac241a85b2
Instruction Fuzzy Hash: 4321E3B1902209AFDF01DFA4ED49BDDBFB8FB08710F00811AF621A62A0D7B95544CF94

Function 0078065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0078039A: CreateFileW.KERNELBASE(00000000,00000000,?,00780704,?,?,00000000,?,00780704,00000000,0000000C), ref: 007803B7

GetLastError.KERNEL32 ref: 0078076F
__dosmaperr.LIBCMT ref: 00780776
GetFileType.KERNELBASE(00000000), ref: 00780782
GetLastError.KERNEL32 ref: 0078078C
__dosmaperr.LIBCMT ref: 00780795
CloseHandle.KERNEL32(00000000), ref: 007807B5
CloseHandle.KERNEL32(?), ref: 007808FF
GetLastError.KERNEL32 ref: 00780931
__dosmaperr.LIBCMT ref: 00780938

Strings

H, xrefs: 007808BD

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: dd4d4520b2ec161d96429c5e7db375df662337f8f4452885775768561f9bdc95
Instruction ID: 13adedd36dde6b0e417ffee2b3cf50f417d003d9a1f2f7a7647913f2cb89ba31
Opcode Fuzzy Hash: dd4d4520b2ec161d96429c5e7db375df662337f8f4452885775768561f9bdc95
Instruction Fuzzy Hash: 51A12432A401088FDF19AF68DC56BAE7BA0AF06320F14415EF815DB2D1DB399D56CF91

Function 0074344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00743A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00811418,?,00742E7F,?,?,?,00000000), ref: 00743A78

Part of subcall function 00743357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00743379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0074356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0078318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 007831CE
RegCloseKey.ADVAPI32(?), ref: 00783210
_wcslen.LIBCMT ref: 00783277
_wcslen.LIBCMT ref: 00783286

Strings

\, xrefs: 0078328C
Software\AutoIt v3\AutoIt, xrefs: 00743560
Include, xrefs: 00783184, 007831C5
\Include\, xrefs: 00743527

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: fe25cf0e8a0494ca7c31023ce99e43f805c6540abb002745ea5bbc570cb1405e
Instruction ID: 22ed1d65ee9ea0f46bec65d945bf35ff9e6635f610e866565a9517137cecec1f
Opcode Fuzzy Hash: fe25cf0e8a0494ca7c31023ce99e43f805c6540abb002745ea5bbc570cb1405e
Instruction Fuzzy Hash: 41718BB14053019EC304EF69DC869ABBBECFF84740F40852EF55583271EB389A58CB62

Function 00742B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00742B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00742B9D
LoadIconW.USER32(00000063), ref: 00742BB3
LoadIconW.USER32(000000A4), ref: 00742BC5
LoadIconW.USER32(000000A2), ref: 00742BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00742BEF
RegisterClassExW.USER32(?), ref: 00742C40

Part of subcall function 00742CD4: GetSysColorBrush.USER32(0000000F), ref: 00742D07
Part of subcall function 00742CD4: RegisterClassExW.USER32(00000030), ref: 00742D31
Part of subcall function 00742CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00742D42
Part of subcall function 00742CD4: InitCommonControlsEx.COMCTL32(?), ref: 00742D5F
Part of subcall function 00742CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00742D6F
Part of subcall function 00742CD4: LoadIconW.USER32(000000A9), ref: 00742D85
Part of subcall function 00742CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00742D94

Strings

0, xrefs: 00742C0F
AutoIt v3, xrefs: 00742C2F
#, xrefs: 00742C16

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 0f4ac232c07fd44c1ee1a63dd0716d0bbb5b17556c083836192b305e6469138a
Instruction ID: 5373d9864a822802a962969bc231820399031bd07bc479bb9623865df0f1ae97
Opcode Fuzzy Hash: 0f4ac232c07fd44c1ee1a63dd0716d0bbb5b17556c083836192b305e6469138a
Instruction Fuzzy Hash: 7B211D70E01314ABDF119F95EC59AD97FB8FF48B50F04801AE611A67A4D7B91540CF94

Function 00743170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0074316A,?,?), ref: 007431D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0074316A,?,?), ref: 00743204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00743227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0074316A,?,?), ref: 00743232
CreatePopupMenu.USER32 ref: 00743246
PostQuitMessage.USER32(00000000), ref: 00743267

Strings

TaskbarCreated, xrefs: 0074322D

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: fe715cab2adf717e480a729ff85014ac704706a65fb62bc5357ee50b0f5c8cd4
Instruction ID: 28a2bdf2691b8b521ebcf2e71c89298f707c76498709a7c11bc466c1865623eb
Opcode Fuzzy Hash: fe715cab2adf717e480a729ff85014ac704706a65fb62bc5357ee50b0f5c8cd4
Instruction Fuzzy Hash: 95412B31240209E7DF152B789C4DBF93B2DFF05310F048116F62AC62A6C7BD9A41D7A5

Function 00741410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00741459
CoUninitialize.COMBASE ref: 007414F8
UnregisterHotKey.USER32(?), ref: 007416DD
DestroyWindow.USER32(?), ref: 007824B9
FreeLibrary.KERNEL32(?), ref: 0078251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0078254B

Strings

close all, xrefs: 00741454

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: bef6a191f11732989fcd461a7d20491ec204ef506c4d73d724ad0338b898ee68
Instruction ID: dfacbd5bb6b431d7065e5ce81c7d01b670e9d60136a3cdd71645a45971f16f4c
Opcode Fuzzy Hash: bef6a191f11732989fcd461a7d20491ec204ef506c4d73d724ad0338b898ee68
Instruction Fuzzy Hash: 12D18C31741212CFCB19EF14C899A69F7A4BF05301F5442ADE84A6B252DB38ED63CF55

Function 00742C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00742C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00742CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00741CAD,?), ref: 00742CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00741CAD,?), ref: 00742CCF

Strings

edit, xrefs: 00742CAC
AutoIt v3, xrefs: 00742C89, 00742C8E, 00742C8F

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: d26258b243a2e4b074902937060bb5c30845f1f4cc0dc50fdd3c6367dcfe7adb
Instruction ID: e0f000a77e1a84f46732760a0609f3c7cb8357de8e5f536add62b33e9878fdee
Opcode Fuzzy Hash: d26258b243a2e4b074902937060bb5c30845f1f4cc0dc50fdd3c6367dcfe7adb
Instruction Fuzzy Hash: 0FF0DA755402907AEF311717AC0CEB76EBDEBC6F60B00815AFA10A26A4C6691850DAB4

Function 00743B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00743B0F,SwapMouseButtons,00000004,?), ref: 00743B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00743B0F,SwapMouseButtons,00000004,?), ref: 00743B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00743B0F,SwapMouseButtons,00000004,?), ref: 00743B83

Strings

Control Panel\Mouse, xrefs: 00743B3E

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 6e83db1521d259cf1596dd72a8225c42674c484705e3b0ecb327f36440e66da8
Instruction ID: ef6cfdaebd46186cb5415da06d1401db940454d4c1ec6402e158e53e5d70c4bb
Opcode Fuzzy Hash: 6e83db1521d259cf1596dd72a8225c42674c484705e3b0ecb327f36440e66da8
Instruction Fuzzy Hash: 101127B5611208FFDB218FA5DC84AAEBBB8EF05744B10856AA809D7110E3359E44DBA4

Function 00743923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 007833A2

Part of subcall function 00746B57: _wcslen.LIBCMT ref: 00746B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00743A04

Strings

Line: , xrefs: 007833EB

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 649ec2696c431588676c046c64d77dabd978ec8ce91592b0a5b7e4c420dbd8e9
Instruction ID: a757d859766d62c6bf4369a177c9e00fb44a43c653dfcce82172f03fdb34a608
Opcode Fuzzy Hash: 649ec2696c431588676c046c64d77dabd978ec8ce91592b0a5b7e4c420dbd8e9
Instruction Fuzzy Hash: BC31A471548300AAD721EB24DC49BDBB7ECAF41714F10491AF5AD92291DB7C9649C7C2

Function 0075FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00760668

Part of subcall function 007632A4: RaiseException.KERNEL32(?,?,?,0076068A,?,00811444,?,?,?,?,?,?,0076068A,00741129,00808738,00741129), ref: 00763304

__CxxThrowException@8.LIBVCRUNTIME ref: 00760685

Strings

Unknown exception, xrefs: 00760692

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 25cecf7c724fcbc35ec7d641fb6f344d48335dc151131d4c59d1cef72885e6e8
Instruction ID: 4062aa5e7f6b335b1de034a11cf8723ef624c889380522a1f72a84fd2ae8101a
Opcode Fuzzy Hash: 25cecf7c724fcbc35ec7d641fb6f344d48335dc151131d4c59d1cef72885e6e8
Instruction Fuzzy Hash: 99F0FF34A0030DE7CB00BAA4DC5AC9E777CAE00310B608035FD26D6A92EF79DA69C9D0

Function 007410F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00741BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00741BF4
Part of subcall function 00741BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00741BFC
Part of subcall function 00741BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00741C07
Part of subcall function 00741BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00741C12
Part of subcall function 00741BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00741C1A
Part of subcall function 00741BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00741C22

Part of subcall function 00741B4A: RegisterWindowMessageW.USER32(00000004,?,007412C4), ref: 00741BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0074136A
OleInitialize.OLE32 ref: 00741388
CloseHandle.KERNEL32(00000000,00000000), ref: 007824AB

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 8dbac4f4d58151de6b6e0b46b6dbe2f3806b6f6c17d5dc5e0c30903a6c13aea3
Instruction ID: 4c140fe1edb5e1403d32bd6a53c4f3dc54edb0e6c96048882f7c188cb7e6992b
Opcode Fuzzy Hash: 8dbac4f4d58151de6b6e0b46b6dbe2f3806b6f6c17d5dc5e0c30903a6c13aea3
Instruction Fuzzy Hash: 567195B49122018E8F84EFA9A85D6D57AEAFF88740754C23AD60AC7361EB385485CF48

Function 007AC161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00743923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00743A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 007AC259
KillTimer.USER32(?,00000001,?,?), ref: 007AC261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 007AC270

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 43186a69732a4374073f1f57624f5e058246e5a336390ed4222a193c8619f3cd
Instruction ID: 0ba3b93f2ca7354b88b4b0afc728ee92729f6946e0f759575cbefb96cb0139ab
Opcode Fuzzy Hash: 43186a69732a4374073f1f57624f5e058246e5a336390ed4222a193c8619f3cd
Instruction Fuzzy Hash: 6C319570904344BFEB239F648859BE7BBFCAF47304F04449AD6DA97281C7785A84CB51

Function 007786AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,007785CC,?,00808CC8,0000000C), ref: 00778704
GetLastError.KERNEL32(?,007785CC,?,00808CC8,0000000C), ref: 0077870E
__dosmaperr.LIBCMT ref: 00778739

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: b1b33b6b7ab939680b29230a4f348cdd1b018955dfd19b30c67f00ebaf5bbdb9
Instruction ID: 0c66fd8d860184f27c9fa6b528b9681340f6fead8564c9587c9e28f54980da4a
Opcode Fuzzy Hash: b1b33b6b7ab939680b29230a4f348cdd1b018955dfd19b30c67f00ebaf5bbdb9
Instruction Fuzzy Hash: 37014C32A4532076DEA46334E84EB6E274A4B817F8F29C119E80CCB0E3DDEC8C818192

Function 0074DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 0074DB7B
DispatchMessageW.USER32(?), ref: 0074DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0074DB9F
Sleep.KERNELBASE(0000000A), ref: 0074DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00791CC9

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: d873a97fe3f7765b276cf6e7cddbb7b449baff6fe289ed40869993982033e75f
Instruction ID: 771637e4d135f0de7da26db7fed6d4591797cb1e681f072dd08ed455769233e6
Opcode Fuzzy Hash: d873a97fe3f7765b276cf6e7cddbb7b449baff6fe289ed40869993982033e75f
Instruction Fuzzy Hash: 68F05E306453419BEB30CBA09C49FEA73BCEF45310F508A29E65AC30C0DB389888CB29

Function 00751310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 007517F6

Strings

CALL, xrefs: 007517C6

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 1cf60cdaf18a98641a6f44b15ed479e5bfffe3a4006e9e6c0738726e9ec41561
Instruction ID: 8466e23eced39660e727cb6f975f4634fc952985874d3a049c3cb52050d4f098
Opcode Fuzzy Hash: 1cf60cdaf18a98641a6f44b15ed479e5bfffe3a4006e9e6c0738726e9ec41561
Instruction Fuzzy Hash: 3422BB70608241DFC714CF14C484BAABBF1BF89316F548A1DF8968B361D7B9E959CB82

Function 00742DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00782C8C

Part of subcall function 00743AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00743A97,?,?,00742E7F,?,?,?,00000000), ref: 00743AC2

Part of subcall function 00742DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00742DC4

Strings

X, xrefs: 00782C5A

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: ffaba4f34842008242cfcd04d8f162c0ebeb17a5edbc4fb026c479a58f844239
Instruction ID: 57baed0220494e8994f0c1720b4572502624b9292692bf95171abcae6918e7fb
Opcode Fuzzy Hash: ffaba4f34842008242cfcd04d8f162c0ebeb17a5edbc4fb026c479a58f844239
Instruction Fuzzy Hash: 61218171A00258DBCB41AF94CC49BEE7BBCAF49314F008059E505E7282EBB85A59CFA5

Function 00743837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00743908

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 7d5f47b59f46706c539afaf3191202fe993b93b3ec2e0f7d3555c43e2dc05602
Instruction ID: fd3f06fe26caecc371d59770d40996fef3f427d5338cc4201d382738cd42aa2b
Opcode Fuzzy Hash: 7d5f47b59f46706c539afaf3191202fe993b93b3ec2e0f7d3555c43e2dc05602
Instruction Fuzzy Hash: 2B315EB0505701DFD761DF24D889B97BBE8FF49708F00092EF6AA87250E779AA44CB52

Function 0075F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0075F661

Part of subcall function 0074D730: GetInputState.USER32 ref: 0074D807

Sleep.KERNEL32(00000000), ref: 0079F2DE

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: b6967a20a6d69c4213df64692851feb9ead577e826723713507132536c47ce89
Instruction ID: adcaae25626b73cd8cecde6c7c6bf6e0afabbc2552bc21c190c1936b31a5fbbf
Opcode Fuzzy Hash: b6967a20a6d69c4213df64692851feb9ead577e826723713507132536c47ce89
Instruction Fuzzy Hash: 26F08C31240205EFD310EF69D549BAAF7E8FF49761F00402AE85DC72A0DB74AC00CB94

Function 00744ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00744E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00744EDD,?,00811418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00744E9C
Part of subcall function 00744E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00744EAE
Part of subcall function 00744E90: FreeLibrary.KERNEL32(00000000,?,?,00744EDD,?,00811418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00744EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00811418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00744EFD

Part of subcall function 00744E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00783CDE,?,00811418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00744E62
Part of subcall function 00744E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00744E74
Part of subcall function 00744E59: FreeLibrary.KERNEL32(00000000,?,?,00783CDE,?,00811418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00744E87

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 73dc6ce15db51de38989f4c64b77f64e75db7f8ff1a89f40aa2c9c1855b5e7ab
Instruction ID: b7c2572902c0523260d352b5b9e2f808fcbdf34f75b54ac58a90f2549c02594e
Opcode Fuzzy Hash: 73dc6ce15db51de38989f4c64b77f64e75db7f8ff1a89f40aa2c9c1855b5e7ab
Instruction Fuzzy Hash: 6D11E332640205EBCB14BB64DC0AFAD77A5AF40B10F10842EF542A61D2EF7CAA09A760

Function 00778402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00778440

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: e0aa94b50f736163b638abb53b5f2f5b0c4d77fc6e563c3cbd9389a220afa55f
Instruction ID: da0e13a1fffe03485003c282a792930029a52449f9e123d9c601e25b2f6da3a1
Opcode Fuzzy Hash: e0aa94b50f736163b638abb53b5f2f5b0c4d77fc6e563c3cbd9389a220afa55f
Instruction Fuzzy Hash: 8B11187590410AAFCF05DF58E94599A7BF9EF48314F108069F808AB312DA75EA11CBA5

Function 00775000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00774C7D: RtlAllocateHeap.NTDLL(00000008,00741129,00000000,?,00772E29,00000001,00000364,?,?,?,0076F2DE,00773863,00811444,?,0075FDF5,?), ref: 00774CBE

_free.LIBCMT ref: 0077506C

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 3d2c3d3ddd92956722e343c22d7a9c639b7d608d5ceefea078e2c7f091651667
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 3E014E722047049BE7318F65D84595AFBECFB853B0F25461DE198932C0E7746C05C774

Function 0076E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 81abe461b0c0a8f0948690c15eeaebd99a71f3372f81e0df2ec19ca27c9cf4e2
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: C0F0F936510A14EACA313A65DC0DB5A33989F52370F104715FD26A21D2CB7CA80289B6

Function 00774C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00741129,00000000,?,00772E29,00000001,00000364,?,?,?,0076F2DE,00773863,00811444,?,0075FDF5,?), ref: 00774CBE

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: addcd3fe58918c020aa7f225b824d4065e1537052742ba5ce524bef4cf17801d
Instruction ID: 6e74f3c0f5f6aeec7665b5ebf78d584273b0a724c0fb969998ab7a5d7d2685a9
Opcode Fuzzy Hash: addcd3fe58918c020aa7f225b824d4065e1537052742ba5ce524bef4cf17801d
Instruction Fuzzy Hash: ECF0B432602224A6DF235F629C09B5A3788BF417E0B19C512FD1EA6685CB3DDC0086B0

Function 00773820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00811444,?,0075FDF5,?,?,0074A976,00000010,00811440,007413FC,?,007413C6,?,00741129), ref: 00773852

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: b238452ef7b2327c5380f2a4d71667ad07d1b90af121188c5c741f803ef1eb94
Instruction ID: 7829830aa4c1798ad20735f3a1dbbf2440a4b0ce6e71104e83dbc28419b96997
Opcode Fuzzy Hash: b238452ef7b2327c5380f2a4d71667ad07d1b90af121188c5c741f803ef1eb94
Instruction Fuzzy Hash: 1FE0E532201225DAEF212A669C09F9A3748AF427F0F058123FC1D92981CB3DDD01A1F2

Function 00744F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00811418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00744F6D

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 165d825702133fa29568c5099ffa7e31ca9eeeed5fb0af414b66abb24fdfd772
Instruction ID: a2fded8eaf466a059c91f34c1384dd1260185d24e0f5c868a5250cfc4b02af3e
Opcode Fuzzy Hash: 165d825702133fa29568c5099ffa7e31ca9eeeed5fb0af414b66abb24fdfd772
Instruction Fuzzy Hash: 6BF03071105752DFDB349F64D494912B7F4AF14319319897EE1EA82521C7399848EF10

Function 007D2A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 007D2A66

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: f54b5e74f5470457523d482fbfabc2584ee5f8981516f168ce47c57932329513
Instruction ID: 24d70aca1c9050a457d716dd338cffe9496c53e4ce342c4f58872b52b6bed7f2
Opcode Fuzzy Hash: f54b5e74f5470457523d482fbfabc2584ee5f8981516f168ce47c57932329513
Instruction Fuzzy Hash: 95E04F36350116AAC714EA30DC849FAB36CEBE53957108637BC1AC2201EB38D9978AA0

Function 007430F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 0074314E

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 46dbcc0d521385e41aa70c0b5cdd2aeaa9c421b398e88bf06fdc295410b0a7f0
Instruction ID: ace3ddbef8bb8fddff6f4062410c62c5099fe842884d5a98190f4e1d0ba55985
Opcode Fuzzy Hash: 46dbcc0d521385e41aa70c0b5cdd2aeaa9c421b398e88bf06fdc295410b0a7f0
Instruction Fuzzy Hash: 52F0A7709003189FEB529B24DC497D57BBCBB01708F0040E5A64896286D7784788CF41

Function 00742DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00742DC4

Part of subcall function 00746B57: _wcslen.LIBCMT ref: 00746B6A

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: ddae1887ba196ba649c2c8488a77e385f33aacd237cb618ef6c8145e379e2c83
Instruction ID: a53dff89fb824b32face467db41aa278cdeca72cd8a2b9b1b194917becc4fb8e
Opcode Fuzzy Hash: ddae1887ba196ba649c2c8488a77e385f33aacd237cb618ef6c8145e379e2c83
Instruction Fuzzy Hash: 2DE0CD726011249BCB11A2589C09FDA77EDDFC8790F054071FD09E7248DA64AD80C655

Function 00742B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00743837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00743908

Part of subcall function 0074D730: GetInputState.USER32 ref: 0074D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00742B6B

Part of subcall function 007430F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0074314E

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 859ffcdba042ebcdca28f9c4786967fcc4792876a3cc688ab51801e487c353ef
Instruction ID: af07d8866d3efb6707fddbb9f95f77c79e5593d317fd4a440acb26d45596921a
Opcode Fuzzy Hash: 859ffcdba042ebcdca28f9c4786967fcc4792876a3cc688ab51801e487c353ef
Instruction Fuzzy Hash: CFE0262130020483CE04BB74985E4ADF35EDFD1711F40053EF24683163CF6C49898252

Function 0078039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00780704,?,?,00000000,?,00780704,00000000,0000000C), ref: 007803B7

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: eb2673c007b5cd495b3d55e643518a06e5a78caf4ee60bed3b95cf187b625f11
Instruction ID: 20b0b51c856acec72a5d0ab97ed2fba98526de2888fe199620d4ec9ee90f5149
Opcode Fuzzy Hash: eb2673c007b5cd495b3d55e643518a06e5a78caf4ee60bed3b95cf187b625f11
Instruction Fuzzy Hash: 17D06C3204010DBBDF028F84DD06EDA3BAAFB48714F018000BE1856020C736E821EB94

Function 00741CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00741CBC

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: f11ac4e2a3fda51ab6902bce07cdf6b6808a34e6149b9c00f359e2916d2ed2f9
Instruction ID: 08e5a822fc97d7257d99edee53ce544b2c1f5da70645190d2acb00cb9891278a
Opcode Fuzzy Hash: f11ac4e2a3fda51ab6902bce07cdf6b6808a34e6149b9c00f359e2916d2ed2f9
Instruction Fuzzy Hash: 6CC09B352803059FF6554780BC4EF90776DF748B00F14C101F70A555E3C3A51430D654

Non-executed Functions

Function 007D9576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00759BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00759BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 007D961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 007D965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 007D969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007D96C9
SendMessageW.USER32 ref: 007D96F2
GetKeyState.USER32(00000011), ref: 007D978B
GetKeyState.USER32(00000009), ref: 007D9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 007D97AE
GetKeyState.USER32(00000010), ref: 007D97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007D97E9
SendMessageW.USER32 ref: 007D9810
SendMessageW.USER32(?,00001030,?,007D7E95), ref: 007D9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 007D992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 007D9941
SetCapture.USER32(?), ref: 007D994A
ClientToScreen.USER32(?,?), ref: 007D99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 007D99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007D99D6
ReleaseCapture.USER32 ref: 007D99E1
GetCursorPos.USER32(?), ref: 007D9A19
ScreenToClient.USER32(?,?), ref: 007D9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 007D9A80
SendMessageW.USER32 ref: 007D9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 007D9AEB
SendMessageW.USER32 ref: 007D9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 007D9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 007D9B4A
GetCursorPos.USER32(?), ref: 007D9B68
ScreenToClient.USER32(?,?), ref: 007D9B75
GetParent.USER32(?), ref: 007D9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 007D9BFA
SendMessageW.USER32 ref: 007D9C2B
ClientToScreen.USER32(?,?), ref: 007D9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 007D9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 007D9CDE
SendMessageW.USER32 ref: 007D9D01
ClientToScreen.USER32(?,?), ref: 007D9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 007D9D82

Part of subcall function 00759944: GetWindowLongW.USER32(?,000000EB), ref: 00759952

GetWindowLongW.USER32(?,000000F0), ref: 007D9E05

Strings

@GUI_DRAGID, xrefs: 007D997D
F, xrefs: 007D9D07

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 35d2f706828bafbe60c4a2990d90d0c47a4eaae5197ebffdb0be72d6da7fac94
Instruction ID: 7b7766648e7011cf021461cba7b213679da4cde0482bbf665fa7d58f2ff903d6
Opcode Fuzzy Hash: 35d2f706828bafbe60c4a2990d90d0c47a4eaae5197ebffdb0be72d6da7fac94
Instruction Fuzzy Hash: 38428A34205201EFDB25CF24CC48AAABBF9FF49320F14465AF699973A1D739E864CB51

Function 007D4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 007D48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 007D4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 007D4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 007D494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 007D495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 007D497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 007D49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 007D49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 007D4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 007D4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 007D4A7E
IsMenu.USER32(?), ref: 007D4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 007D4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 007D4B20
GetWindowLongW.USER32(?,000000F0), ref: 007D4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 007D4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 007D4C82
wsprintfW.USER32 ref: 007D4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 007D4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 007D4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 007D4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 007D4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 007D4D5A

Strings

%d/%02d/%02d, xrefs: 007D4CA8

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: f2b9e6e92394304ef89e22657518ee47751b823de8487037750a4042dece5382
Instruction ID: 89df7b3977917550a4b555093aac3e6d725a15e01b90c15fcb310037cf22c84c
Opcode Fuzzy Hash: f2b9e6e92394304ef89e22657518ee47751b823de8487037750a4042dece5382
Instruction Fuzzy Hash: 7B12FF71600215ABEB258F28CC49FAE7BF8FF45310F14816AF956EB2E1DB789941CB50

Function 0075F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0075F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0079F474
IsIconic.USER32(00000000), ref: 0079F47D
ShowWindow.USER32(00000000,00000009), ref: 0079F48A
SetForegroundWindow.USER32(00000000), ref: 0079F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0079F4AA
GetCurrentThreadId.KERNEL32 ref: 0079F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0079F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0079F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0079F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0079F4DE
SetForegroundWindow.USER32(00000000), ref: 0079F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0079F4F6
keybd_event.USER32(00000012,00000000), ref: 0079F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0079F50B
keybd_event.USER32(00000012,00000000), ref: 0079F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0079F519
keybd_event.USER32(00000012,00000000), ref: 0079F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0079F528
keybd_event.USER32(00000012,00000000), ref: 0079F52D
SetForegroundWindow.USER32(00000000), ref: 0079F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0079F557

Strings

Shell_TrayWnd, xrefs: 0079F46F

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: e1df48fd59321761c5b293bfda9f854187f9343df166d749f5b9ddc30948c19d
Instruction ID: 07fd11f38ddac9e39f2b18151bc0d5071a03cedfb9b0aa4e8f3ca2a8e03601bd
Opcode Fuzzy Hash: e1df48fd59321761c5b293bfda9f854187f9343df166d749f5b9ddc30948c19d
Instruction Fuzzy Hash: 8831B471A40219BBEF216BB55C4AFBF7F7CEB44B50F204066FA01E61D1C6B89D10EA64

Function 007A1201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 007A16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 007A170D
Part of subcall function 007A16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 007A173A
Part of subcall function 007A16C3: GetLastError.KERNEL32 ref: 007A174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 007A1286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 007A12A8
CloseHandle.KERNEL32(?), ref: 007A12B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 007A12D1
GetProcessWindowStation.USER32 ref: 007A12EA
SetProcessWindowStation.USER32(00000000), ref: 007A12F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 007A1310

Part of subcall function 007A10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,007A11FC), ref: 007A10D4
Part of subcall function 007A10BF: CloseHandle.KERNEL32(?,?,007A11FC), ref: 007A10E9

Strings

default, xrefs: 007A130B
, xrefs: 007A125A
winsta0, xrefs: 007A12CC

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: 10c445be159168aabb0eb5c89f68b4d2d3e8c364464409b5ee42b3693c676922
Instruction ID: 10dbac2943a1a1b025d7af13e5c539bfb25303c3479f6d54e1247d78944740fb
Opcode Fuzzy Hash: 10c445be159168aabb0eb5c89f68b4d2d3e8c364464409b5ee42b3693c676922
Instruction Fuzzy Hash: CF81B071900249AFEF119FA8DC49FEE7BB9FF49700F14822AF911E61A0C7398944CB65

Function 007A0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 007A10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 007A1114
Part of subcall function 007A10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,007A0B9B,?,?,?), ref: 007A1120
Part of subcall function 007A10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,007A0B9B,?,?,?), ref: 007A112F
Part of subcall function 007A10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,007A0B9B,?,?,?), ref: 007A1136
Part of subcall function 007A10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 007A114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 007A0BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 007A0C00
GetLengthSid.ADVAPI32(?), ref: 007A0C17
GetAce.ADVAPI32(?,00000000,?), ref: 007A0C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 007A0C6D
GetLengthSid.ADVAPI32(?), ref: 007A0C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 007A0C8C
HeapAlloc.KERNEL32(00000000), ref: 007A0C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 007A0CB4
CopySid.ADVAPI32(00000000), ref: 007A0CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 007A0CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 007A0D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 007A0D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 007A0D45
HeapFree.KERNEL32(00000000), ref: 007A0D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 007A0D55
HeapFree.KERNEL32(00000000), ref: 007A0D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 007A0D65
HeapFree.KERNEL32(00000000), ref: 007A0D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 007A0D78
HeapFree.KERNEL32(00000000), ref: 007A0D7F

Part of subcall function 007A1193: GetProcessHeap.KERNEL32(00000008,007A0BB1,?,00000000,?,007A0BB1,?), ref: 007A11A1
Part of subcall function 007A1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,007A0BB1,?), ref: 007A11A8
Part of subcall function 007A1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,007A0BB1,?), ref: 007A11B7

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 30e0628bca4c0b0c0abaac3ffcb71b9b62446ff1771aba3c8f55ca559d9d22d0
Instruction ID: ad3febceca84aa36a260299f142c48ed67b9660588a7c79c016c7581875fb37c
Opcode Fuzzy Hash: 30e0628bca4c0b0c0abaac3ffcb71b9b62446ff1771aba3c8f55ca559d9d22d0
Instruction Fuzzy Hash: 3471AC72A0021AEBDF11DFA4DC49FEEBBB8BF45310F048A15F914A7191D779A905CBA0

Function 007BEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(007DCC08), ref: 007BEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 007BEB37
GetClipboardData.USER32(0000000D), ref: 007BEB43
CloseClipboard.USER32 ref: 007BEB4F
GlobalLock.KERNEL32(00000000), ref: 007BEB87
CloseClipboard.USER32 ref: 007BEB91
GlobalUnlock.KERNEL32(00000000), ref: 007BEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 007BEBC9
GetClipboardData.USER32(00000001), ref: 007BEBD1
GlobalLock.KERNEL32(00000000), ref: 007BEBE2
GlobalUnlock.KERNEL32(00000000), ref: 007BEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 007BEC38
GetClipboardData.USER32(0000000F), ref: 007BEC44
GlobalLock.KERNEL32(00000000), ref: 007BEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 007BEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 007BEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 007BECD2
GlobalUnlock.KERNEL32(00000000), ref: 007BECF3
CountClipboardFormats.USER32 ref: 007BED14
CloseClipboard.USER32 ref: 007BED59

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: dddb36f2b57391a9563c2aa906ad9df43f9f6a4dbaf00e5ea9a46ea768c4eaac
Instruction ID: 7603296f6ad484c5c85b352dae460555c96b4d457d8c05333396c539711fcb64
Opcode Fuzzy Hash: dddb36f2b57391a9563c2aa906ad9df43f9f6a4dbaf00e5ea9a46ea768c4eaac
Instruction Fuzzy Hash: 5061C2752042029FD301EF24D888FAAB7B8BF84714F18855EF456973A2CB79ED05CB62

Function 007B698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 007B69BE
FindClose.KERNEL32(00000000), ref: 007B6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 007B6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 007B6A75

Part of subcall function 00749CB3: _wcslen.LIBCMT ref: 00749CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 007B6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 007B6ADF

Strings

%4d, xrefs: 007B6BB1
%03d, xrefs: 007B6DA2
%02d, xrefs: 007B6C00, 007B6C0A, 007B6C5A, 007B6CAA, 007B6CFA, 007B6D4A
%4d%02d%02d%02d%02d%02d, xrefs: 007B6B6A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 007B6B32

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 881dc9949c78c19c5c224d6c43f944078b0abcbc0e4fbe04d49d8695b5e3028d
Instruction ID: 2fc844a59b73356c516a018c3d31164d900704e606b4232282a854c17feb0100
Opcode Fuzzy Hash: 881dc9949c78c19c5c224d6c43f944078b0abcbc0e4fbe04d49d8695b5e3028d
Instruction Fuzzy Hash: 1FD151B2508340EEC714EBA4C885EAFB7ECBF88704F44491DF585D6191EB79DA48CB62

Function 007B9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 007B9663
GetFileAttributesW.KERNEL32(?), ref: 007B96A1
SetFileAttributesW.KERNEL32(?,?), ref: 007B96BB
FindNextFileW.KERNEL32(00000000,?), ref: 007B96D3
FindClose.KERNEL32(00000000), ref: 007B96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 007B96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 007B974A
SetCurrentDirectoryW.KERNEL32(00806B7C), ref: 007B9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 007B9772
FindClose.KERNEL32(00000000), ref: 007B977F
FindClose.KERNEL32(00000000), ref: 007B978F

Strings

*.*, xrefs: 007B96F5

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: bde8a3cdde9e6e647cd5b9d1843fe739b50888a96164ecbcb3990f2e08352e9f
Instruction ID: 78b39085da6e693403e721fed2847496defdf94ebf5386c32cdba5437178cce7
Opcode Fuzzy Hash: bde8a3cdde9e6e647cd5b9d1843fe739b50888a96164ecbcb3990f2e08352e9f
Instruction Fuzzy Hash: 1231B27254121A6EDF11AFB4DC48BDE77BCAF09320F108156EA25E2190EB3CD940CA64

Function 007B979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 007B97BE
FindNextFileW.KERNEL32(00000000,?), ref: 007B9819
FindClose.KERNEL32(00000000), ref: 007B9824
FindFirstFileW.KERNEL32(*.*,?), ref: 007B9840
SetCurrentDirectoryW.KERNEL32(?), ref: 007B9890
SetCurrentDirectoryW.KERNEL32(00806B7C), ref: 007B98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 007B98B8
FindClose.KERNEL32(00000000), ref: 007B98C5
FindClose.KERNEL32(00000000), ref: 007B98D5

Part of subcall function 007ADAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 007ADB00

Strings

*.*, xrefs: 007B983B

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: a443a226e5a372aab87efe44854cc653685ae25d0187c8a7a2f256b98144ab6d
Instruction ID: 65f31e997eb15213e12e5f74331edc91b437baa118994226d75931e842e27b96
Opcode Fuzzy Hash: a443a226e5a372aab87efe44854cc653685ae25d0187c8a7a2f256b98144ab6d
Instruction Fuzzy Hash: 3731C37150161AAEDF11AFB4DC48BDE77BCAF06320F108156EA24E21E0DB39DD54CA64

Function 007CBE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 007CC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,007CB6AE,?,?), ref: 007CC9B5
Part of subcall function 007CC998: _wcslen.LIBCMT ref: 007CC9F1
Part of subcall function 007CC998: _wcslen.LIBCMT ref: 007CCA68
Part of subcall function 007CC998: _wcslen.LIBCMT ref: 007CCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007CBF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 007CBFA9
RegCloseKey.ADVAPI32(00000000), ref: 007CBFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 007CC02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 007CC0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 007CC154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 007CC1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 007CC23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 007CC2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 007CC382
RegCloseKey.ADVAPI32(00000000), ref: 007CC38F

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: de85e110b5a73a9e0b17dd04f675ca8f432c2a3c1bb327731f90a0d95532e61d
Instruction ID: f716bbac8e5fdbe4ff33795084091768dab4e7b0eacefef30c427c41763a4353
Opcode Fuzzy Hash: de85e110b5a73a9e0b17dd04f675ca8f432c2a3c1bb327731f90a0d95532e61d
Instruction Fuzzy Hash: 53023871604240EFD715DF28C895E2ABBE5AF89308F18849DF84ADB2A2D735EC45CB52

Function 007B8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 007B8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 007B8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 007B8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 007B8310
SetCurrentDirectoryW.KERNEL32(?), ref: 007B8324
SetCurrentDirectoryW.KERNEL32(?), ref: 007B8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 007B838C
SetCurrentDirectoryW.KERNEL32(?), ref: 007B8395

Strings

*.*, xrefs: 007B839B

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 3f1fe000ee6a3e320e87930f3ea93a7648b516ab4f8070df5636b51dd0238f8d
Instruction ID: e3aea9f663e1e3297cfe588b34c1d97a2f9f56bdb31b4b4fffd5a79236b1c48d
Opcode Fuzzy Hash: 3f1fe000ee6a3e320e87930f3ea93a7648b516ab4f8070df5636b51dd0238f8d
Instruction Fuzzy Hash: 8F6148725043459FCB50EF64C844AAEB3ECFF89314F04891EF99987251EB39E945CB92

Function 007AD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00743AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00743A97,?,?,00742E7F,?,?,?,00000000), ref: 00743AC2

Part of subcall function 007AE199: GetFileAttributesW.KERNEL32(?,007ACF95), ref: 007AE19A

FindFirstFileW.KERNEL32(?,?), ref: 007AD122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 007AD1DD
MoveFileW.KERNEL32(?,?), ref: 007AD1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 007AD20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 007AD237

Part of subcall function 007AD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,007AD21C,?,?), ref: 007AD2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 007AD253
FindClose.KERNEL32(00000000), ref: 007AD264

Strings

\*.*, xrefs: 007AD0CD, 007AD0D6, 007AD0EB

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: b285d9976ce0183ba04c0316aa43106180ec25d0885a4424c18e8b0ecf5d0a63
Instruction ID: 8422592a81206b25d403e322a40778abb78306a78bf119715bf0c347b9597196
Opcode Fuzzy Hash: b285d9976ce0183ba04c0316aa43106180ec25d0885a4424c18e8b0ecf5d0a63
Instruction Fuzzy Hash: 90615F3180114DEBCF15EBE0D996AEDB779BF56300F208265E40677192EB386F09CB61

Function 007BED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 007BED91
EmptyClipboard.USER32 ref: 007BED97
GlobalAlloc.KERNEL32(00000002,?), ref: 007BEDAC
CloseClipboard.USER32 ref: 007BEEA3

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 90dca3a0765156debcca3fdd8a9f58b203c7c6be2a6ff1e59a1facd59953ed07
Instruction ID: 4b8800ca4a0ff87aa9cfa44ab98f0d28c19d4bde79f499a99a880fe832c11bd7
Opcode Fuzzy Hash: 90dca3a0765156debcca3fdd8a9f58b203c7c6be2a6ff1e59a1facd59953ed07
Instruction Fuzzy Hash: 7F419E35605612EFE721DF15D888B99BBE5FF44318F18C09AE8158B762C779EC41CB90

Function 007AE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 007A16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 007A170D
Part of subcall function 007A16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 007A173A
Part of subcall function 007A16C3: GetLastError.KERNEL32 ref: 007A174A

ExitWindowsEx.USER32(?,00000000), ref: 007AE932

Strings

@, xrefs: 007AE925
SeShutdownPrivilege, xrefs: 007AE902
, xrefs: 007AE95C
, xrefs: 007AE920

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 03a20a7a36538af20ed951d8212a797a9c15bdd9ba36aac1e390e4ffd9121799
Instruction ID: d101a407932f6ec6231e73eca6b3962db4a9df2320ee08dddf7f2445ef434bed
Opcode Fuzzy Hash: 03a20a7a36538af20ed951d8212a797a9c15bdd9ba36aac1e390e4ffd9121799
Instruction Fuzzy Hash: AA012632610311ABEB5422B49C8ABBB726CAB86740F154622F803E21D1E5AC7C4081A6

Function 007C1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 007C1276
WSAGetLastError.WSOCK32 ref: 007C1283
bind.WSOCK32(00000000,?,00000010), ref: 007C12BA
WSAGetLastError.WSOCK32 ref: 007C12C5
closesocket.WSOCK32(00000000), ref: 007C12F4
listen.WSOCK32(00000000,00000005), ref: 007C1303
WSAGetLastError.WSOCK32 ref: 007C130D
closesocket.WSOCK32(00000000), ref: 007C133C

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 78fdd3c7829f39d7be2155f5cdf3cfc9726ecb62c34f2d3702790ca61d74b182
Instruction ID: 9c548a33999b67b554dee07271f3cb93eab6eb662a28f6da814d791213394201
Opcode Fuzzy Hash: 78fdd3c7829f39d7be2155f5cdf3cfc9726ecb62c34f2d3702790ca61d74b182
Instruction Fuzzy Hash: CD417C35A001419FD710DF24C488F2ABBE6BF46318F58819DE8568F293C779EC81CBA1

Function 0077B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0077B9D4
_free.LIBCMT ref: 0077B9F8
_free.LIBCMT ref: 0077BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,007E3700), ref: 0077BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0081121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0077BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00811270,000000FF,?,0000003F,00000000,?), ref: 0077BC36
_free.LIBCMT ref: 0077BD4B

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 3243a548709485136c4cdb16cb999d794de0efddd0bd63e4207353aa4b2cba95
Instruction ID: 3c4c7bfdfc7161c81ae0c6d6473302a6efcdf66aecf72ac001857021cc21a838
Opcode Fuzzy Hash: 3243a548709485136c4cdb16cb999d794de0efddd0bd63e4207353aa4b2cba95
Instruction Fuzzy Hash: 51C12B71A04209DFCF21EF788C45BAABBB9EF41390F14C59AE998D7251E7389E41CB50

Function 007AD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00743AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00743A97,?,?,00742E7F,?,?,?,00000000), ref: 00743AC2

Part of subcall function 007AE199: GetFileAttributesW.KERNEL32(?,007ACF95), ref: 007AE19A

FindFirstFileW.KERNEL32(?,?), ref: 007AD420
DeleteFileW.KERNEL32(?,?,?,?), ref: 007AD470
FindNextFileW.KERNEL32(00000000,00000010), ref: 007AD481
FindClose.KERNEL32(00000000), ref: 007AD498
FindClose.KERNEL32(00000000), ref: 007AD4A1

Strings

\*.*, xrefs: 007AD3F2

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 484ed33afec96670837794697d221126ff202270f2b4f771e31e9b95142811e9
Instruction ID: 9299a5974ba8dece058e6461b1b65fe616bba4de09dcce1891c8f53c56f6867b
Opcode Fuzzy Hash: 484ed33afec96670837794697d221126ff202270f2b4f771e31e9b95142811e9
Instruction Fuzzy Hash: 943182710093859FC315EF64C8598AFB7A8BE96304F444A1EF8D693191EB38AE09C763

Function 0077E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0077E645

Strings

1#SNAN, xrefs: 0077F844
1#INF, xrefs: 0077F852
1#IND, xrefs: 0077F83D
1#QNAN, xrefs: 0077F84B

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 6da608e357f122b9438bfc2e49348ad726fd78cc2f58cc33a91118d659d08929
Instruction ID: 0cf29337451bf9f21573dfb1c974befc1d73081e48b1a69f6eb76876a428ebc4
Opcode Fuzzy Hash: 6da608e357f122b9438bfc2e49348ad726fd78cc2f58cc33a91118d659d08929
Instruction Fuzzy Hash: B8C23C72E046288FDF25CE28DD447EAB7B5EB49344F1481EAD84DE7241E778AE818F40

Function 007B648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 007B64DC
CoInitialize.OLE32(00000000), ref: 007B6639
CoCreateInstance.OLE32(007DFCF8,00000000,00000001,007DFB68,?), ref: 007B6650
CoUninitialize.OLE32 ref: 007B68D4

Strings

.lnk, xrefs: 007B64BA, 007B6524, 007B65E0

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 2b9e1861482e99781c93e101dbe3215d0d12340be7938e5ca62ae0461df22bfa
Instruction ID: 264eb2060f418d61e8344a0fc5eaf4c17fefb9ef2eb40571867932e672e29971
Opcode Fuzzy Hash: 2b9e1861482e99781c93e101dbe3215d0d12340be7938e5ca62ae0461df22bfa
Instruction Fuzzy Hash: 60D149715082019FC314DF24C885EABB7E8FF94704F14495DF6958B2A1EB79E909CBA2

Function 007C22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 007C22E8

Part of subcall function 007BE4EC: GetWindowRect.USER32(?,?), ref: 007BE504

GetDesktopWindow.USER32 ref: 007C2312
GetWindowRect.USER32(00000000), ref: 007C2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 007C2355
GetCursorPos.USER32(?), ref: 007C2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 007C23DF

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 5ba3492fa0cb27629d69c30a758d210164108682f51189d3bfa928559d9e2ffd
Instruction ID: 86920ef6e9d624f63d4f0848aaa1402141f8642be0edc984e2e00b76b443268b
Opcode Fuzzy Hash: 5ba3492fa0cb27629d69c30a758d210164108682f51189d3bfa928559d9e2ffd
Instruction Fuzzy Hash: 6031ED72105346ABC720DF14D808F9BBBA9FF84710F000A1EF98597182DB38EA09CB96

Function 007B9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00749CB3: _wcslen.LIBCMT ref: 00749CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 007B9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 007B9C8B

Part of subcall function 007B3874: GetInputState.USER32 ref: 007B38CB
Part of subcall function 007B3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 007B3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 007B9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 007B9C75

Strings

*.*, xrefs: 007B9B5D

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 195936dfa01ef6c7cf1a4f328359be1ed7f5c1f1d76ca04ee627643e5f9649fc
Instruction ID: 6df4c3a3fe93d7a6d589c12c77e463cd4b3a4e3f148d83936397477372df0a01
Opcode Fuzzy Hash: 195936dfa01ef6c7cf1a4f328359be1ed7f5c1f1d76ca04ee627643e5f9649fc
Instruction Fuzzy Hash: 88415FB194420ADFDF15DFB4C889BEEBBB8FF05310F244156EA15A2191EB389E44CB60

Function 00748060 Relevance: 8.7, Strings: 6, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 007483E8
ERCP, xrefs: 0074813C
VUUU, xrefs: 00785DF0
VUUU, xrefs: 0074843C
VUUU, xrefs: 007483FA
_______________________________________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstyzzzzzzzzzzzzzzzz{{{{, xrefs: 00785D04

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU$_______________________________________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstyzzzzzzzzzzzzzzzz{{{{
API String ID: 0-2009957334
Opcode ID: 9300ffd2b16456630111e195987af7a4ea873d05a00c203c4573943a98b66a53
Instruction ID: 840126ccd87ec97152151a5db12ee108148ab52f00991a42412a08c22fc2c3d5
Opcode Fuzzy Hash: 9300ffd2b16456630111e195987af7a4ea873d05a00c203c4573943a98b66a53
Instruction Fuzzy Hash: 08A29070E4021ECBDF64DF58C8447ADB7B1BF54314F2481AAD815AB285EB789D81CF92

Function 0075997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00759BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00759BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00759A4E
GetSysColor.USER32(0000000F), ref: 00759B23
SetBkColor.GDI32(?,00000000), ref: 00759B36

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 08cf48e9a915c23d54b48b0aa70855acb6569f92ec3256af8b045642e8793616
Instruction ID: 010fc906a730a9d7a6a5a043ef92f775645a90eb1ace0406cb34849765408bbe
Opcode Fuzzy Hash: 08cf48e9a915c23d54b48b0aa70855acb6569f92ec3256af8b045642e8793616
Instruction Fuzzy Hash: BDA12CB0218544FEEF2D9A3C9C4DDFB2A6DEB42302F14810AFB12D6691CA6D9D05C275

Function 007C1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 007C304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 007C307A
Part of subcall function 007C304E: _wcslen.LIBCMT ref: 007C309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 007C185D
WSAGetLastError.WSOCK32 ref: 007C1884
bind.WSOCK32(00000000,?,00000010), ref: 007C18DB
WSAGetLastError.WSOCK32 ref: 007C18E6
closesocket.WSOCK32(00000000), ref: 007C1915

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 9ad091ab15fa8bab511c4edd7a9c3e51eda6b5f4eb5f9520664151e0dd778078
Instruction ID: b487d21dd67bd8db9118862d6d255fd5e473b1753fa1064d47bb3c656a39e9db
Opcode Fuzzy Hash: 9ad091ab15fa8bab511c4edd7a9c3e51eda6b5f4eb5f9520664151e0dd778078
Instruction Fuzzy Hash: D851B371A00210AFDB11AF24C88AF6AB7E5AB45718F58849CF9055F3D3C779AD41CBE1

Function 007D1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 007D1CC0
IsWindowEnabled.USER32 ref: 007D1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 007D1CDB
IsIconic.USER32 ref: 007D1CE9
IsZoomed.USER32 ref: 007D1CF7

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: beee503577afaebfae4b8bba71e165e8fc0a2a2f38731a7c35c4bb2e7580afd8
Instruction ID: f448ee6c20c43abb12ee95d83dd9085189ce9005c9e253f6c482f25cbdbdf340
Opcode Fuzzy Hash: beee503577afaebfae4b8bba71e165e8fc0a2a2f38731a7c35c4bb2e7580afd8
Instruction Fuzzy Hash: 53210731751201AFD7218F1AC844B167BF5EF84320F58805AE84ACB351D779DC42CBA4

Function 007AAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 007AAAAC
SetKeyboardState.USER32(00000080), ref: 007AAAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 007AAB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 007AAB88

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: b3a7eeb49fb6cdbffa2b7e343bac9bb9a55e6d82f40f550b8854efcdfa2f7287
Instruction ID: c545e8b2a464e67e7c64100982010727c283b49b8893f75264980ffcc69ea055
Opcode Fuzzy Hash: b3a7eeb49fb6cdbffa2b7e343bac9bb9a55e6d82f40f550b8854efcdfa2f7287
Instruction Fuzzy Hash: 843105B0A40248BEFF358B64CC09BFA7BA6ABC6310F04831AE181965D1D37D8991C776

Function 007BCE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 007BCE89
GetLastError.KERNEL32(?,00000000), ref: 007BCEEA
SetEvent.KERNEL32(?,?,00000000), ref: 007BCEFE

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: a1a56db92567145aeb11da88be65d27981a709d2e91865d8877af2ffff1a26a6
Instruction ID: 4be0573a232f2ab179390f16e8a5dde68f5a47d1ea4eb3c40d2db5a82bef213d
Opcode Fuzzy Hash: a1a56db92567145aeb11da88be65d27981a709d2e91865d8877af2ffff1a26a6
Instruction Fuzzy Hash: 00219DB2600306DFEB22DFA5C949BA777F8EB50354F10841EE546D2151E778EE04CBA4

Function 007A8298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 007A82AA

Strings

|, xrefs: 007A82DA
(, xrefs: 007A82F0

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 1099f71cd5d9617c8271d0f4cd62c98f6ca88eb9fa2382108d7bc210620a4c3a
Instruction ID: a5855b4ad15d233d8f436d5a372f021f407ebca765f3b6e12762f914ca002265
Opcode Fuzzy Hash: 1099f71cd5d9617c8271d0f4cd62c98f6ca88eb9fa2382108d7bc210620a4c3a
Instruction Fuzzy Hash: B9324575A00605DFCB68CF59C481A6AB7F0FF88710B15C56EE49ADB3A1EB74E941CB40

Function 007B5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 007B5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 007B5D17
FindClose.KERNEL32(?), ref: 007B5D5F

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 142563fe0e747c8f27b8565225e6eeca9e4f1f255cd87b07178443db3a40aca0
Instruction ID: fd55e78ef925ed76e646f27fbf05f6c68b3ea5c5cd597f002b9d02e9f41c7370
Opcode Fuzzy Hash: 142563fe0e747c8f27b8565225e6eeca9e4f1f255cd87b07178443db3a40aca0
Instruction Fuzzy Hash: 8C517875604A019FC714CF28C498B96B7E4FF49314F14865EE95A8B3A1DB38FD04CB91

Function 00772622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0077271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00772724
UnhandledExceptionFilter.KERNEL32(?), ref: 00772731

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: da2a023df19d11541c67687a97a99e4e8552f577f3d0e006c475c0ce16abd0b1
Instruction ID: 3750d5a3282939505800d142e467e32ae1dae5ed4c7fb8314a9a7909e35ad931
Opcode Fuzzy Hash: da2a023df19d11541c67687a97a99e4e8552f577f3d0e006c475c0ce16abd0b1
Instruction Fuzzy Hash: F331D7749112189BCB21DF64DD8879DBBB8BF08350F5082DAE81CA7261E7349F858F85

Function 007B51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 007B51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 007B5238
SetErrorMode.KERNEL32(00000000), ref: 007B52A1

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: d3c18859b91c13cbb61ebea8f07dd981faadf3e1b39c36f733bfdd725d7e8463
Instruction ID: ce47051e3126946996cc67f67d7bda9472ec757bd8b193b77ba21512889f07a4
Opcode Fuzzy Hash: d3c18859b91c13cbb61ebea8f07dd981faadf3e1b39c36f733bfdd725d7e8463
Instruction Fuzzy Hash: FF313A75A00518DFDB01DF54D888BEDBBB5FF49314F088099E805AB362DB3AE856CB90

Function 007A16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0075FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00760668
Part of subcall function 0075FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00760685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 007A170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 007A173A
GetLastError.KERNEL32 ref: 007A174A

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 83fae912314ddd89e46054944d45362c2ef487f3a1947c4eaf74c85c3c1e99fb
Instruction ID: 7deeec5be5dbac7f66ef8211b675486fed1686424a2b6f676ab5c4d65da155f9
Opcode Fuzzy Hash: 83fae912314ddd89e46054944d45362c2ef487f3a1947c4eaf74c85c3c1e99fb
Instruction Fuzzy Hash: 2011CEB2500305AFE718AF54DC8ADAAB7B9EB44714B20C52EE45697241EB74BC41CA24

Function 007AD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 007AD608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 007AD645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 007AD650

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: f07c5929d466f3f5eb077ad8470a3eb8f9dea628415fe53f6b43d3e2caf37f5a
Instruction ID: a0c02cf41afec75dc613890e0b22ed38f10fe8ac7483a3971dae7905e32e5459
Opcode Fuzzy Hash: f07c5929d466f3f5eb077ad8470a3eb8f9dea628415fe53f6b43d3e2caf37f5a
Instruction Fuzzy Hash: B8118E71E05228BFDB208F94DC44FAFBBBCEB45B50F108112F904E7290C2744E018BA1

Function 007A1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 007A168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 007A16A1
FreeSid.ADVAPI32(?), ref: 007A16B1

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 60edcc2fca925a5befd2020e8575b9b1f8a656f19991a6ffe741f34adadb8d44
Instruction ID: 9c561b2cc3e11b25d07a5f850652a626016738f67fe74d5909e837fdcebd2b85
Opcode Fuzzy Hash: 60edcc2fca925a5befd2020e8575b9b1f8a656f19991a6ffe741f34adadb8d44
Instruction Fuzzy Hash: 49F0F471951309FBEF00DFE49C89AAEBBBCEB08604F508565E601E2181E778AA448A54

Function 0077C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0077C36C

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: bb7963b6fcd1165db550714903d4f3a5c5131d4a1a70a307c8e7f632616f5ad7
Instruction ID: afa9044cbb691509590cbe21ba728601b3762e86ac8cfe1353c6d806323fb9b8
Opcode Fuzzy Hash: bb7963b6fcd1165db550714903d4f3a5c5131d4a1a70a307c8e7f632616f5ad7
Instruction Fuzzy Hash: B9413872500619AFCF209FB9CC49DBB77B8EB88394F1082ADF909D7181E6749D41CB50

Function 0079D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0079D28C

Strings

X64, xrefs: 0079D2A8

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 380385418fc74cc0669f815552abe2a984a08d9c4f038ce0ce2124fe1b367c27
Instruction ID: ce2773d6972abcb0229673cd8bde01c6e0048b80ab658e28ec362886dacdefa1
Opcode Fuzzy Hash: 380385418fc74cc0669f815552abe2a984a08d9c4f038ce0ce2124fe1b367c27
Instruction Fuzzy Hash: ECD0C9B480111DEACFA0CB90EC88DD9B37CBB04305F104152F506A2080D77899488F10

Function 0076CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 0d30c3192e983c46a508081a7c3141f0aa3b1480a6ff8a13304c16cbea582cb3
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 25023D72E002199FDF15CFA9C8806ADFBF5EF48314F25816AD85AE7380D735AA418B94

Function 007B68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 007B6918
FindClose.KERNEL32(00000000), ref: 007B6961

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 6a08923d23e1fd3f38d77f8b7f8cdb6ceb81357d476f89682efdd8e879ef4bd5
Instruction ID: d06a69cc9c8382b41b373b2ddd0735ece375567fda0755d63c02b7cd12053d24
Opcode Fuzzy Hash: 6a08923d23e1fd3f38d77f8b7f8cdb6ceb81357d476f89682efdd8e879ef4bd5
Instruction Fuzzy Hash: 9D1190716042119FD714DF29D488A16BBE5FF85328F14C69DE9698F2A2C738FC05CB91

Function 007B37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,007C4891,?,?,00000035,?), ref: 007B37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,007C4891,?,?,00000035,?), ref: 007B37F4

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 4790e42b69a78e539a2b6288c88521ba6214d888e7ac489218912fe445855ba5
Instruction ID: e0e234ce7997a8798a51e9f44244516cf71df90e2d220d4e22275212c5f8a42f
Opcode Fuzzy Hash: 4790e42b69a78e539a2b6288c88521ba6214d888e7ac489218912fe445855ba5
Instruction Fuzzy Hash: C0F0E5B06052296AE72027769C8DFEB3BAEEFC4761F000265F609D2281DA749944C7B0

Function 007AB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 007AB25D
keybd_event.USER32(?,7694C0D0,?,00000000), ref: 007AB270

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 81d3d730b83bf96d14b3a4a3da562d3e971c8ca9c3c5bc383c69e6d7fb5fb8ac
Instruction ID: f12de31ba0e838f42b7eab92c4370a9911ef54cbfdbdec07fe3e78895ba77cda
Opcode Fuzzy Hash: 81d3d730b83bf96d14b3a4a3da562d3e971c8ca9c3c5bc383c69e6d7fb5fb8ac
Instruction Fuzzy Hash: CBF01D7180424EABDB059FA0C805BAE7BB4FF09315F10814AF955A5192C37D8611DF94

Function 007A10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,007A11FC), ref: 007A10D4
CloseHandle.KERNEL32(?,?,007A11FC), ref: 007A10E9

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 484da359fd0b6992380770fd6ff229e18d7f1fbf76d59ba308ce698b40b10d0e
Instruction ID: eccc69ce6c8f2cb84d5b541ebc9c74f2abf5d92de93b83facefc033be5ee53f4
Opcode Fuzzy Hash: 484da359fd0b6992380770fd6ff229e18d7f1fbf76d59ba308ce698b40b10d0e
Instruction Fuzzy Hash: 3EE04F32004601EEF7262B11FC0AEB377B9EB04311F10C82EF8A5804B1DBA66C90DB54

Function 0074CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00790C40

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: 3e3b559164b710a6b00e6ab2d4da8d9a36a12610915a739955be4e84da553d9b
Instruction ID: 5bc3ff66b5723cc9c18d17289a2557af36b5637cdb7dda09dd2d7686dc09efac
Opcode Fuzzy Hash: 3e3b559164b710a6b00e6ab2d4da8d9a36a12610915a739955be4e84da553d9b
Instruction Fuzzy Hash: F832BD70A11218DFCF55DF90D885AEDB7B5FF05304F148069E806AB292DB7DAE49CBA0

Function 0077676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00776766,?,?,00000008,?,?,0077FEFE,00000000), ref: 00776998

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 0183d562bc613a8d3c5685eb62d60af4770fc300d121e3e0cef14ed7c7dd778f
Instruction ID: 3fd65c5f3cce08982a1b041eea7bb19433a5fea941ce9e7c734ba77048571648
Opcode Fuzzy Hash: 0183d562bc613a8d3c5685eb62d60af4770fc300d121e3e0cef14ed7c7dd778f
Instruction Fuzzy Hash: 38B15C31610A099FDB19CF28C486B657BE0FF453A4F25C658E99DCF2A6C339E985CB40

Function 0075B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0079851F

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 3f5463d5466890a25a44dd8e28e5de2ff3b4f7f0389dbb892e07f7a084628eb6
Instruction ID: 852cd9ee802f30fbdfa4a55962c9face8fff33c7f363f8ab35357776dff8a7ec
Opcode Fuzzy Hash: 3f5463d5466890a25a44dd8e28e5de2ff3b4f7f0389dbb892e07f7a084628eb6
Instruction Fuzzy Hash: 7F125F71900229DBCF64CF58D880AFEB7B5FF48710F14819AE849EB251DB789E85CB91

Function 007BEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 007BEABD

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 947f532c44fa7cf3dfb1111ad1755ed9ad9967c754f0fa6b00443099b8e1e75e
Instruction ID: 760f7e88f805954387ae7449a596048ccbdee2f045ea493688d36aa50af4c6b3
Opcode Fuzzy Hash: 947f532c44fa7cf3dfb1111ad1755ed9ad9967c754f0fa6b00443099b8e1e75e
Instruction Fuzzy Hash: 63E01A322002049FC710EF69D808E9AF7EDAF98760F00C416FC49C7391DB79E8408B90

Function 007609D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,007603EE), ref: 007609DA

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 742cc0a7a0a16cda0cd867e494ae48e036f40895886bd7a3396c19dc0b3d34ef
Instruction ID: 82ce8aca1d479708c58c08cff3c159a6e552de30eda733d933ea4cfb2ec288fd
Opcode Fuzzy Hash: 742cc0a7a0a16cda0cd867e494ae48e036f40895886bd7a3396c19dc0b3d34ef
Instruction Fuzzy Hash:

Function 0076781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0076798B

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 92dee958abaaa648e80228157a04858c8d5a6ed69405cbdd2bd07674c7cb3d21
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: FD51466160C7479ADB3C8578889E7BE23D99B123CCF180A09DC83DB282C61DEE45D356

Function 00776DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 974c1c540a27892f7d3e70a9609ebcffa5b789e7019310815da91db4ede252b4
Instruction ID: fb7c15b45b4d81f00d3a697cc057cd502a8b29ed7b8c01e39ba19cb43d4c44c5
Opcode Fuzzy Hash: 974c1c540a27892f7d3e70a9609ebcffa5b789e7019310815da91db4ede252b4
Instruction Fuzzy Hash: E1322621D29F814DDB279634CC62335664DAFBB3C5F15D737E81AB99AAEB2DC4838100

Function 0075CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 206423f82115d3999af316c9fb863990e2ad84761761a952d30d8764c1cfc024
Instruction ID: 649eb7ea6e01dd6198ebf56257ef53c668d69b151d7a2894bcf714e418be6448
Opcode Fuzzy Hash: 206423f82115d3999af316c9fb863990e2ad84761761a952d30d8764c1cfc024
Instruction Fuzzy Hash: 15324931A002458FDF27CF28E4946BD7BA1EB45311F28816AD85ACB292E73CDD85DB60

Function 00747920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43feecaefc58ad381eff640f39439cb74001ac6c6c082259b2d0bbf03afe7445
Instruction ID: daaac4cdd9fe3f5c34f6f7257e97a076c11db70031543b189870af141cb4189c
Opcode Fuzzy Hash: 43feecaefc58ad381eff640f39439cb74001ac6c6c082259b2d0bbf03afe7445
Instruction Fuzzy Hash: 9A22B1B0A04609DFDF14DF68D885AAEB7F6FF44300F244529E816E7291EB3AAD15CB50

Function 007491C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58e2f86512fabdea36a40dd8d18cc9dd49182bd3fc29b097a21b9701ea38d625
Instruction ID: 4df0490c1ca352e49124ea58819652172da6e00b0771f38042fd6eff139a3564
Opcode Fuzzy Hash: 58e2f86512fabdea36a40dd8d18cc9dd49182bd3fc29b097a21b9701ea38d625
Instruction Fuzzy Hash: CF02B7B1E00205EFDB04EF64D885AAEB7B5FF44300F118169E916DB291EB79EE14CB91

Function 00779EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1eba395f631921772b3085e629b6717e534678db85dec18a256ac63976ae09b3
Instruction ID: fa1581d801f8a4f8231279221160048f5c59191f9a197c8f04e72331d15ca021
Opcode Fuzzy Hash: 1eba395f631921772b3085e629b6717e534678db85dec18a256ac63976ae09b3
Instruction Fuzzy Hash: 1CB12520D2AF814DD7239639C875336B65CAFBB2C5F91D71BFC2A79D22EB2685834140

Function 00767A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3ec3f861d0d733ef68c49922214fd01ca9f55762f82aba838a979b4da86d62a
Instruction ID: 3f0d7a33baeed40e23d98fc510c157f839de9a5d3b3419cea00c1230ecc6f308
Opcode Fuzzy Hash: a3ec3f861d0d733ef68c49922214fd01ca9f55762f82aba838a979b4da86d62a
Instruction Fuzzy Hash: A1618DB120870996DE3C9A6C8C95BBE2398DF417CCF144A1DEC4BDB281D91DDE42C756

Function 00767CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf405809b230e436f60eb2f935fce4f36893061746770671bcb51a405f19aa6c
Instruction ID: 5631bd6b1237b1c4008f3c7f94234db4725e431d9adac2fc358bb3e625115e8a
Opcode Fuzzy Hash: cf405809b230e436f60eb2f935fce4f36893061746770671bcb51a405f19aa6c
Instruction Fuzzy Hash: FA61697170870996DA3C8A288895BBF23949F427CCF140D5AED43DB281EB1EAD4AC356

Function 007B2046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cffc9558261a26838309e91bfac7b989434c0022be598fb3e718b50094b6282
Instruction ID: 51c973afcb245ddd922087fac56337aedd1d508eba79f2cd5c7d1a5e7835c47e
Opcode Fuzzy Hash: 6cffc9558261a26838309e91bfac7b989434c0022be598fb3e718b50094b6282
Instruction Fuzzy Hash: DA21D8322216118BD728CE79C8126BA73E9BB64310F14862EE4A7C33D1DE39A945CB40

Function 007C2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 007C2B30
DeleteObject.GDI32(00000000), ref: 007C2B43
DestroyWindow.USER32 ref: 007C2B52
GetDesktopWindow.USER32 ref: 007C2B6D
GetWindowRect.USER32(00000000), ref: 007C2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 007C2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 007C2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007C2CF8
GetClientRect.USER32(00000000,?), ref: 007C2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 007C2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007C2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007C2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007C2D80
GlobalLock.KERNEL32(00000000), ref: 007C2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007C2D98
GlobalUnlock.KERNEL32(00000000), ref: 007C2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007C2DA8
GlobalFree.KERNEL32(00000000), ref: 007C2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007C2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,007DFC38,00000000), ref: 007C2DDB
GlobalFree.KERNEL32(00000000), ref: 007C2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 007C2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 007C2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007C2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007C303F

Strings

static, xrefs: 007C2D3A, 007C2E91
AutoIt v3, xrefs: 007C2CF2
, xrefs: 007C2FC5
DISPLAY, xrefs: 007C2EA2

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: b700c3891c0eb6d1c5da4820bd887913c52b3042a51346505c914005458269c5
Instruction ID: 81206a60760bcd9ef47b94a3dc2d81f4e29f01ffbe75ba433a6e4bf61d3c6df4
Opcode Fuzzy Hash: b700c3891c0eb6d1c5da4820bd887913c52b3042a51346505c914005458269c5
Instruction Fuzzy Hash: FF025771900219EFDB15DF64CC89EAEBBB9EB48310F04815DF915AB2A1DB78ED01CB64

Function 007D70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 007D712F
GetSysColorBrush.USER32(0000000F), ref: 007D7160
GetSysColor.USER32(0000000F), ref: 007D716C
SetBkColor.GDI32(?,000000FF), ref: 007D7186
SelectObject.GDI32(?,?), ref: 007D7195
InflateRect.USER32(?,000000FF,000000FF), ref: 007D71C0
GetSysColor.USER32(00000010), ref: 007D71C8
CreateSolidBrush.GDI32(00000000), ref: 007D71CF
FrameRect.USER32(?,?,00000000), ref: 007D71DE
DeleteObject.GDI32(00000000), ref: 007D71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 007D7230
FillRect.USER32(?,?,?), ref: 007D7262
GetWindowLongW.USER32(?,000000F0), ref: 007D7284

Part of subcall function 007D73E8: GetSysColor.USER32(00000012), ref: 007D7421
Part of subcall function 007D73E8: SetTextColor.GDI32(?,?), ref: 007D7425
Part of subcall function 007D73E8: GetSysColorBrush.USER32(0000000F), ref: 007D743B
Part of subcall function 007D73E8: GetSysColor.USER32(0000000F), ref: 007D7446
Part of subcall function 007D73E8: GetSysColor.USER32(00000011), ref: 007D7463
Part of subcall function 007D73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 007D7471
Part of subcall function 007D73E8: SelectObject.GDI32(?,00000000), ref: 007D7482
Part of subcall function 007D73E8: SetBkColor.GDI32(?,00000000), ref: 007D748B
Part of subcall function 007D73E8: SelectObject.GDI32(?,?), ref: 007D7498
Part of subcall function 007D73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 007D74B7
Part of subcall function 007D73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007D74CE
Part of subcall function 007D73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 007D74DB

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 74e49f23bf305d5b2da028dcda2b3b237f544847f112616ade8d7653e4d38dac
Instruction ID: e257965ed3aa6dcee0f00b8edf9fc7ae34764961216889cdd6ed2e15d9f9cd08
Opcode Fuzzy Hash: 74e49f23bf305d5b2da028dcda2b3b237f544847f112616ade8d7653e4d38dac
Instruction Fuzzy Hash: 4BA1B272009316EFDB059F60DC48A5BBBB9FB88320F104B1AF962961E0E739E944CB51

Function 007C2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 007C273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 007C286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 007C28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 007C28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 007C2900
GetClientRect.USER32(00000000,?), ref: 007C290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 007C2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 007C2964
GetStockObject.GDI32(00000011), ref: 007C2974
SelectObject.GDI32(00000000,00000000), ref: 007C2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 007C2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 007C2991
DeleteDC.GDI32(00000000), ref: 007C299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 007C29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 007C29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 007C2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 007C2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 007C2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 007C2A77
GetStockObject.GDI32(00000011), ref: 007C2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 007C2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 007C2A97

Strings

static, xrefs: 007C294F, 007C2A71
AutoIt v3, xrefs: 007C28F8
msctls_progress32, xrefs: 007C2A13
DISPLAY, xrefs: 007C295A

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: c5aff194bf717b17af1bfea1f39f75d11eede328d88ac701d6701a7d81d3ee10
Instruction ID: ea253272a6b70064faf2a883ed557813dc7905da7c61f7b034e4eb43bdf600e6
Opcode Fuzzy Hash: c5aff194bf717b17af1bfea1f39f75d11eede328d88ac701d6701a7d81d3ee10
Instruction Fuzzy Hash: 27B13CB1A40215AFDB14DF68CC49FAABBB9EB08710F108519FA15E7291D778ED40CB54

Function 007B4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 007B4AED
GetDriveTypeW.KERNEL32(?,007DCB68,?,\\.\,007DCC08), ref: 007B4BCA
SetErrorMode.KERNEL32(00000000,007DCB68,?,\\.\,007DCC08), ref: 007B4D36

Strings

CDROM, xrefs: 007B4BFB
ATAPI, xrefs: 007B4C91
RAMDisk, xrefs: 007B4BF4
RAID, xrefs: 007B4CBB
iSCSI, xrefs: 007B4CC2
FileBackedVirtual, xrefs: 007B4CEC
Removable, xrefs: 007B4C10, 007B4C15
Virtual, xrefs: 007B4CE5
SSD, xrefs: 007B4C4A
SSA, xrefs: 007B4CA6
SAS, xrefs: 007B4CC9
Network, xrefs: 007B4C02
\\.\, xrefs: 007B4B3F
MMC, xrefs: 007B4CDE
PhysicalDrive, xrefs: 007B4B76
SCSI, xrefs: 007B4C8A
ATA, xrefs: 007B4C98
SATA, xrefs: 007B4CD0
1394, xrefs: 007B4C9F
USB, xrefs: 007B4CB4
Fixed, xrefs: 007B4C09
Fibre, xrefs: 007B4CAD
Unknown, xrefs: 007B4BED, 007B4C83

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 546aa6ba5aa8af561820e7f29d9a490e65c1df039fadc0cbba4cf9e6f913a3b1
Instruction ID: bdd66e83f1d206e71ba5b6598c52e618ae46d6145784cc0f2c7be2ddbdf1f9b1
Opcode Fuzzy Hash: 546aa6ba5aa8af561820e7f29d9a490e65c1df039fadc0cbba4cf9e6f913a3b1
Instruction Fuzzy Hash: CC61AE30601106DBCB54DF24CA96AB9BBB0FB04B00B248415F906EB693EB2EDD65DB61

Function 007D73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 007D7421
SetTextColor.GDI32(?,?), ref: 007D7425
GetSysColorBrush.USER32(0000000F), ref: 007D743B
GetSysColor.USER32(0000000F), ref: 007D7446
CreateSolidBrush.GDI32(?), ref: 007D744B
GetSysColor.USER32(00000011), ref: 007D7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 007D7471
SelectObject.GDI32(?,00000000), ref: 007D7482
SetBkColor.GDI32(?,00000000), ref: 007D748B
SelectObject.GDI32(?,?), ref: 007D7498
InflateRect.USER32(?,000000FF,000000FF), ref: 007D74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007D74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 007D74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 007D752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 007D7554
InflateRect.USER32(?,000000FD,000000FD), ref: 007D7572
DrawFocusRect.USER32(?,?), ref: 007D757D
GetSysColor.USER32(00000011), ref: 007D758E
SetTextColor.GDI32(?,00000000), ref: 007D7596
DrawTextW.USER32(?,007D70F5,000000FF,?,00000000), ref: 007D75A8
SelectObject.GDI32(?,?), ref: 007D75BF
DeleteObject.GDI32(?), ref: 007D75CA
SelectObject.GDI32(?,?), ref: 007D75D0
DeleteObject.GDI32(?), ref: 007D75D5
SetTextColor.GDI32(?,?), ref: 007D75DB
SetBkColor.GDI32(?,?), ref: 007D75E5

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: ec800e2c9b688112f0286dec1f0dc907b81a019119d75289ef168605d65aaff3
Instruction ID: 7ae6f3fbdf676191ae3060525f3b8062b371ff97aa630edadd67ab17debf86d5
Opcode Fuzzy Hash: ec800e2c9b688112f0286dec1f0dc907b81a019119d75289ef168605d65aaff3
Instruction Fuzzy Hash: 7B618372901219AFDF069FA4DC49EEEBF79EF08320F108116F915AB2A1D7799940CF90

Function 007D0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 007D1128
GetDesktopWindow.USER32 ref: 007D113D
GetWindowRect.USER32(00000000), ref: 007D1144
GetWindowLongW.USER32(?,000000F0), ref: 007D1199
DestroyWindow.USER32(?), ref: 007D11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 007D11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 007D120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 007D121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 007D1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 007D1245
IsWindowVisible.USER32(00000000), ref: 007D12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 007D12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 007D12D0
GetWindowRect.USER32(00000000,?), ref: 007D12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 007D130E
GetMonitorInfoW.USER32(00000000,?), ref: 007D1328
CopyRect.USER32(?,?), ref: 007D133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 007D13AA

Strings

tooltips_class32, xrefs: 007D11E6
0, xrefs: 007D10D3
(, xrefs: 007D131B

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 581cb83417b66729be313c4c52ecb874204a6feb1c75d9035b66aa3b6ee05a89
Instruction ID: 7939b3733425c9b1ebcac3f55be9e12e7008039e433fb8a17803739161652121
Opcode Fuzzy Hash: 581cb83417b66729be313c4c52ecb874204a6feb1c75d9035b66aa3b6ee05a89
Instruction Fuzzy Hash: 27B17B71608341AFD714DF64C888B6AFBF4FF88350F40891AF9999B2A1D735E844CB96

Function 007D0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 007D02E5
_wcslen.LIBCMT ref: 007D031F
_wcslen.LIBCMT ref: 007D0389
_wcslen.LIBCMT ref: 007D03F1
_wcslen.LIBCMT ref: 007D0475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 007D04C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 007D0504

Part of subcall function 0075F9F2: _wcslen.LIBCMT ref: 0075F9FD

Part of subcall function 007A223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 007A2258
Part of subcall function 007A223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 007A228A

Strings

FINDITEM, xrefs: 007D0627
GETSELECTED, xrefs: 007D05E1
VIEWCHANGE, xrefs: 007D0675
DESELECT, xrefs: 007D059C
GETITEMCOUNT, xrefs: 007D0316, 007D0337
GETSELECTEDCOUNT, xrefs: 007D0470, 007D048B
SELECTINVERT, xrefs: 007D057E
SELECTALL, xrefs: 007D0515
SELECTCLEAR, xrefs: 007D052D
GETTEXT, xrefs: 007D03EC, 007D0407
GETSUBITEMCOUNT, xrefs: 007D0384, 007D039F
ISSELECTED, xrefs: 007D04DD
SELECT, xrefs: 007D0548

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: b2837592a6429676d9a280dc836b7b1bb3fd7c5bbf9306abd39bc3b09bfb598f
Instruction ID: 58406ebacfb361085eae5e59e4748f7a558016850c8c031ddb38c226e16faa8e
Opcode Fuzzy Hash: b2837592a6429676d9a280dc836b7b1bb3fd7c5bbf9306abd39bc3b09bfb598f
Instruction Fuzzy Hash: F5E19C31208201DBC714DF28C954A2AB3F6FF89314F14595EF896AB3A1DB38ED46CB91

Function 00758891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00758968
GetSystemMetrics.USER32(00000007), ref: 00758970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0075899B
GetSystemMetrics.USER32(00000008), ref: 007589A3
GetSystemMetrics.USER32(00000004), ref: 007589C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 007589E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 007589F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00758A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00758A3C
GetClientRect.USER32(00000000,000000FF), ref: 00758A5A
GetStockObject.GDI32(00000011), ref: 00758A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00758A81

Part of subcall function 0075912D: GetCursorPos.USER32(?), ref: 00759141
Part of subcall function 0075912D: ScreenToClient.USER32(00000000,?), ref: 0075915E
Part of subcall function 0075912D: GetAsyncKeyState.USER32(00000001), ref: 00759183
Part of subcall function 0075912D: GetAsyncKeyState.USER32(00000002), ref: 0075919D

SetTimer.USER32(00000000,00000000,00000028,007590FC), ref: 00758AA8

Strings

AutoIt v3 GUI, xrefs: 00758A20

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 2a71a019ba762c8d2a1e36f25be01c6e26e851c1dd3f1b8f2fbe03f1c7f4f662
Instruction ID: f9e4fc3458ed30e77d95b508cbf862421efae9f464de9132c88542b8a5de3be3
Opcode Fuzzy Hash: 2a71a019ba762c8d2a1e36f25be01c6e26e851c1dd3f1b8f2fbe03f1c7f4f662
Instruction Fuzzy Hash: BEB16F7160020ADFDF14DFA8DC49BEA7BB5FB48315F10822AFA15A7290DB78A841CB55

Function 007A0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 007A10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 007A1114
Part of subcall function 007A10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,007A0B9B,?,?,?), ref: 007A1120
Part of subcall function 007A10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,007A0B9B,?,?,?), ref: 007A112F
Part of subcall function 007A10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,007A0B9B,?,?,?), ref: 007A1136
Part of subcall function 007A10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 007A114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 007A0DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 007A0E29
GetLengthSid.ADVAPI32(?), ref: 007A0E40
GetAce.ADVAPI32(?,00000000,?), ref: 007A0E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 007A0E96
GetLengthSid.ADVAPI32(?), ref: 007A0EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 007A0EB5
HeapAlloc.KERNEL32(00000000), ref: 007A0EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 007A0EDD
CopySid.ADVAPI32(00000000), ref: 007A0EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 007A0F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 007A0F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 007A0F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 007A0F6E
HeapFree.KERNEL32(00000000), ref: 007A0F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 007A0F7E
HeapFree.KERNEL32(00000000), ref: 007A0F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 007A0F8E
HeapFree.KERNEL32(00000000), ref: 007A0F95
GetProcessHeap.KERNEL32(00000000,?), ref: 007A0FA1
HeapFree.KERNEL32(00000000), ref: 007A0FA8

Part of subcall function 007A1193: GetProcessHeap.KERNEL32(00000008,007A0BB1,?,00000000,?,007A0BB1,?), ref: 007A11A1
Part of subcall function 007A1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,007A0BB1,?), ref: 007A11A8
Part of subcall function 007A1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,007A0BB1,?), ref: 007A11B7

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 72daf37d757c6bfeffc7f6f58b2d1a3438be986cf0df5dcd8c897b04503c91d4
Instruction ID: cb6b4bd49d55ccf91bfe10ef74e9d5726123c6f22db120a5317fda812d8294d6
Opcode Fuzzy Hash: 72daf37d757c6bfeffc7f6f58b2d1a3438be986cf0df5dcd8c897b04503c91d4
Instruction Fuzzy Hash: 7171B07190121AEFDF209FA4DC49FAEBBB8BF45300F048616F954F6191D7399A05CBA0

Function 007CC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007CC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,007DCC08,00000000,?,00000000,?,?), ref: 007CC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 007CC5A4
_wcslen.LIBCMT ref: 007CC5F4
_wcslen.LIBCMT ref: 007CC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 007CC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 007CC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 007CC84D
RegCloseKey.ADVAPI32(?), ref: 007CC881
RegCloseKey.ADVAPI32(00000000), ref: 007CC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 007CC960

Strings

REG_EXPAND_SZ, xrefs: 007CC5CD
REG_DWORD, xrefs: 007CC804
REG_QWORD, xrefs: 007CC8C3
REG_BINARY, xrefs: 007CC913
REG_SZ, xrefs: 007CC644
REG_MULTI_SZ, xrefs: 007CC6F5

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 2d7afc9f2764990b90e7c1d41478c2ab74c0bef053ce24f88a311fad2e5bb37c
Instruction ID: 9bad09a84a216f27671fa29f8d93f83c47cc2650940c5ca9fb698df831d2fead
Opcode Fuzzy Hash: 2d7afc9f2764990b90e7c1d41478c2ab74c0bef053ce24f88a311fad2e5bb37c
Instruction Fuzzy Hash: B0123535604201DFDB15DF14C895F2AB7E5EF88714F14889DF88A9B2A2DB39ED41CB81

Function 007D091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 007D09C6
_wcslen.LIBCMT ref: 007D0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 007D0A54
_wcslen.LIBCMT ref: 007D0A8A
_wcslen.LIBCMT ref: 007D0B06
_wcslen.LIBCMT ref: 007D0B81

Part of subcall function 0075F9F2: _wcslen.LIBCMT ref: 0075F9FD

Part of subcall function 007A2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007A2BFA

Strings

EXPAND, xrefs: 007D0BF8
GETITEMCOUNT, xrefs: 007D0C1E
GETTEXT, xrefs: 007D0C97
GETSELECTED, xrefs: 007D0C4E
EXISTS, xrefs: 007D0B7C, 007D0B97
UNCHECK, xrefs: 007D0D3E
GETTOTALCOUNT, xrefs: 007D09F2, 007D0A17
CHECK, xrefs: 007D0A85, 007D0AA0
ISCHECKED, xrefs: 007D0CE1
SELECT, xrefs: 007D0D11
COLLAPSE, xrefs: 007D0B01, 007D0B1C

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 625f29b19d3c63086b144edf17adea553299f95588535cd3d81a9cc551e3031b
Instruction ID: b7b1b2f4130071832fa094a9605c550988adcac84c0623a030ddcf4453531e2c
Opcode Fuzzy Hash: 625f29b19d3c63086b144edf17adea553299f95588535cd3d81a9cc551e3031b
Instruction Fuzzy Hash: FEE166316087019FC714DF24C854A2AB7F2FF98314F14895AF8969B3A2D739ED4ACB81

Function 007CC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,007CB6AE,?,?), ref: 007CC9B5
_wcslen.LIBCMT ref: 007CC9F1
_wcslen.LIBCMT ref: 007CCA68
_wcslen.LIBCMT ref: 007CCA9E
_wcslen.LIBCMT ref: 007CCAF9
_wcslen.LIBCMT ref: 007CCB2F
_wcslen.LIBCMT ref: 007CCB7F

Strings

HKU, xrefs: 007CCBF0
HKCR, xrefs: 007CCB29, 007CCB2E
HKEY_USERS, xrefs: 007CCBDF
HKEY_CURRENT_CONFIG, xrefs: 007CCB79, 007CCB7E
HKEY_CURRENT_USER, xrefs: 007CCBBD
HKLM, xrefs: 007CCA98, 007CCA9D
HKEY_LOCAL_MACHINE, xrefs: 007CCA62, 007CCA67
HKCC, xrefs: 007CCBAC
HKEY_CLASSES_ROOT, xrefs: 007CCAF3, 007CCAF8
HKCU, xrefs: 007CCBCE

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: eb53b60f57eb04fb5321c0de3f9e5e1e05888ba2bb3396b718adaafb498c54f9
Instruction ID: 034818fc01b510f3e21d869c3e918d05668a666a7766a076dffb14c8e9429410
Opcode Fuzzy Hash: eb53b60f57eb04fb5321c0de3f9e5e1e05888ba2bb3396b718adaafb498c54f9
Instruction Fuzzy Hash: B371D172A0052A8BCB22DEBC8D45FBE3395AB60750B15412CEC6AA7284E73DDD45C3A0

Function 007D833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 007D835A
_wcslen.LIBCMT ref: 007D836E
_wcslen.LIBCMT ref: 007D8391
_wcslen.LIBCMT ref: 007D83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 007D83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,007D5BF2), ref: 007D844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 007D8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 007D84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 007D8501
FreeLibrary.KERNEL32(?), ref: 007D850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 007D851D
DestroyIcon.USER32(?,?,?,?,?,007D5BF2), ref: 007D852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 007D8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 007D8555

Strings

.exe, xrefs: 007D8388
.icl, xrefs: 007D8368
.dll, xrefs: 007D83AB

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 5de487a3f8ae0894b0c39094a83d5e226353e836fb92c8bd8d72b6438917877a
Instruction ID: 003ca12fa4cdf79234547c8742e5801b9e402769f68095375cc6118d74287544
Opcode Fuzzy Hash: 5de487a3f8ae0894b0c39094a83d5e226353e836fb92c8bd8d72b6438917877a
Instruction Fuzzy Hash: 4861E171940215FAEB54DF64DC45BBF77B8FB04B11F10860AF816EA2D1DB78A950C7A0

Function 00747778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#include-once, xrefs: 0074782F
#comments-start, xrefs: 0074785F, 007478B1
#cs, xrefs: 00747873, 007478C5
Unterminated group of comments, xrefs: 0078528C
#pragma compile, xrefs: 007477D3
Cannot parse #include, xrefs: 00785279
', xrefs: 00785169
", xrefs: 00785153
#OnAutoItStartRegister, xrefs: 00747817
#comments-end, xrefs: 007478D9
#ce, xrefs: 007478ED
#notrayicon, xrefs: 007477E7
Bad directive syntax error, xrefs: 0078519A
#include, xrefs: 00747847
#requireadmin, xrefs: 007477FF

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 65eb82faf15bdc50ec3ba7fbf4baae7e9ec5205bf4068480f3643ca73fd75c08
Instruction ID: e3335fb9bbc615b78daf4ba246e9aa7a1776b19b06d4a8e42f5605dbf69af46e
Opcode Fuzzy Hash: 65eb82faf15bdc50ec3ba7fbf4baae7e9ec5205bf4068480f3643ca73fd75c08
Instruction Fuzzy Hash: 2F8104B1A44605FBDB25BF60CC4AFAE77A8AF15300F004025FD05AB292EB7DDA15C7A1

Function 007B3E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 007B3EF8
_wcslen.LIBCMT ref: 007B3F03
_wcslen.LIBCMT ref: 007B3F5A
_wcslen.LIBCMT ref: 007B3F98
GetDriveTypeW.KERNEL32(?), ref: 007B3FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 007B401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 007B4059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 007B4087

Strings

close cd wait, xrefs: 007B4072
closed, xrefs: 007B3F08, 007B3F2D, 007B3F46, 007B3F7E, 007B3F97
close, xrefs: 007B3EFE, 007B3F18
wait, xrefs: 007B4044
set cd door , xrefs: 007B4028
open , xrefs: 007B3FE5
type cdaudio alias cd wait, xrefs: 007B4001
open, xrefs: 007B3F54, 007B3F59

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 2c74e9c03c7ddf36ec2655a6e54e5e9cddcafdefed802179610f43089cc3173d
Instruction ID: fe407f961406231959fe431069760b749f4c4f6267e5513dcfcdd5f3f64e16c5
Opcode Fuzzy Hash: 2c74e9c03c7ddf36ec2655a6e54e5e9cddcafdefed802179610f43089cc3173d
Instruction Fuzzy Hash: C971E1726042129FC710EF24C8819BAB7F4FF94754F10492DF99697291EB38ED49CB91

Function 007A5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 007A5A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 007A5A40
SetWindowTextW.USER32(?,?), ref: 007A5A57
GetDlgItem.USER32(?,000003EA), ref: 007A5A6C
SetWindowTextW.USER32(00000000,?), ref: 007A5A72
GetDlgItem.USER32(?,000003E9), ref: 007A5A82
SetWindowTextW.USER32(00000000,?), ref: 007A5A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 007A5AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 007A5AC3
GetWindowRect.USER32(?,?), ref: 007A5ACC
_wcslen.LIBCMT ref: 007A5B33
SetWindowTextW.USER32(?,?), ref: 007A5B6F
GetDesktopWindow.USER32 ref: 007A5B75
GetWindowRect.USER32(00000000), ref: 007A5B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 007A5BD3
GetClientRect.USER32(?,?), ref: 007A5BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 007A5C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 007A5C2F

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 4268f248da3729b813c439dc7cc15cfad2916d74ca2d32cd55e4371b5f3ecb9d
Instruction ID: 80315d218986e8d6f107d70c5652410d8318d0ff222184512dba43c23d667c3e
Opcode Fuzzy Hash: 4268f248da3729b813c439dc7cc15cfad2916d74ca2d32cd55e4371b5f3ecb9d
Instruction Fuzzy Hash: 15718071A00B06EFDB21DFA8CE45B6EBBF5FF88705F104619E142A25A0D778E944CB64

Function 007BFE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 007BFE27
LoadCursorW.USER32(00000000,00007F8A), ref: 007BFE32
LoadCursorW.USER32(00000000,00007F00), ref: 007BFE3D
LoadCursorW.USER32(00000000,00007F03), ref: 007BFE48
LoadCursorW.USER32(00000000,00007F8B), ref: 007BFE53
LoadCursorW.USER32(00000000,00007F01), ref: 007BFE5E
LoadCursorW.USER32(00000000,00007F81), ref: 007BFE69
LoadCursorW.USER32(00000000,00007F88), ref: 007BFE74
LoadCursorW.USER32(00000000,00007F80), ref: 007BFE7F
LoadCursorW.USER32(00000000,00007F86), ref: 007BFE8A
LoadCursorW.USER32(00000000,00007F83), ref: 007BFE95
LoadCursorW.USER32(00000000,00007F85), ref: 007BFEA0
LoadCursorW.USER32(00000000,00007F82), ref: 007BFEAB
LoadCursorW.USER32(00000000,00007F84), ref: 007BFEB6
LoadCursorW.USER32(00000000,00007F04), ref: 007BFEC1
LoadCursorW.USER32(00000000,00007F02), ref: 007BFECC
GetCursorInfo.USER32(?), ref: 007BFEDC
GetLastError.KERNEL32 ref: 007BFF1E

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 30d9f8664f1b4e873a35c4b1baf0575777b92400edf000d9f1937a37ce04716f
Instruction ID: b6bf07fb032d938946bf7e922b8a10d61dcd84a7eff80abb55d8a728defa106a
Opcode Fuzzy Hash: 30d9f8664f1b4e873a35c4b1baf0575777b92400edf000d9f1937a37ce04716f
Instruction Fuzzy Hash: 4C4154B0D05319AEDB109FBA8C89D6EBFE8FF04754B50452AE11DE7281DB78D901CE91

Function 007600C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 007600C6

Part of subcall function 007600ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0081070C,00000FA0,C8AD88B2,?,?,?,?,007823B3,000000FF), ref: 0076011C
Part of subcall function 007600ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,007823B3,000000FF), ref: 00760127
Part of subcall function 007600ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,007823B3,000000FF), ref: 00760138
Part of subcall function 007600ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0076014E
Part of subcall function 007600ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0076015C
Part of subcall function 007600ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0076016A
Part of subcall function 007600ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00760195
Part of subcall function 007600ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 007601A0

___scrt_fastfail.LIBCMT ref: 007600E7

Part of subcall function 007600A3: __onexit.LIBCMT ref: 007600A9

Strings

WakeAllConditionVariable, xrefs: 00760162
InitializeConditionVariable, xrefs: 00760148
kernel32.dll, xrefs: 00760133
SleepConditionVariableCS, xrefs: 00760154
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00760122

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 12a60488035af3e7aedd64d9b907495fdacb5f02da83142f8641169f3972ae0f
Instruction ID: 972f87d03b412f59dff443a1d41ac39a9ee06dcc62031e0f47483c8c389aebe0
Opcode Fuzzy Hash: 12a60488035af3e7aedd64d9b907495fdacb5f02da83142f8641169f3972ae0f
Instruction Fuzzy Hash: 8921077264171AABD7155BA4AC0AB6F37B8EF06B51F10452AFC03D27D1DAAD98008AD4

Function 007A30F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 007A318D
_wcslen.LIBCMT ref: 007A31F8

Strings

INSTANCE, xrefs: 007A3453
CLASS, xrefs: 007A3188, 007A31A5
REGEXPCLASS, xrefs: 007A3255, 007A3266
CLASSNN, xrefs: 007A31F3, 007A3204
NAME, xrefs: 007A3335, 007A3346
TEXT, xrefs: 007A347C

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 09a91f475f5dee7c39b6c7a7372920b5c667dff42a18d4ca8ac1555c5f910518
Instruction ID: 912b13a23d55ca3ec72cb7bb5546f1f230181cd5f325aa8f10f8f24fb575ac65
Opcode Fuzzy Hash: 09a91f475f5dee7c39b6c7a7372920b5c667dff42a18d4ca8ac1555c5f910518
Instruction Fuzzy Hash: 87E1E732A00516EBCB149FB8C8557EEFB70BF96710F548319F456E7240DB38AE458B90

Function 007B44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,007DCC08), ref: 007B4527
_wcslen.LIBCMT ref: 007B453B
_wcslen.LIBCMT ref: 007B4599
_wcslen.LIBCMT ref: 007B45F4
_wcslen.LIBCMT ref: 007B463F
_wcslen.LIBCMT ref: 007B46A7

Part of subcall function 0075F9F2: _wcslen.LIBCMT ref: 0075F9FD

GetDriveTypeW.KERNEL32(?,00806BF0,00000061), ref: 007B4743

Strings

removable, xrefs: 007B45EA, 007B45EF
cdrom, xrefs: 007B458F, 007B4594
fixed, xrefs: 007B4635, 007B463A
network, xrefs: 007B469D, 007B46A2
ramdisk, xrefs: 007B46F1
all, xrefs: 007B4531, 007B4536
unknown, xrefs: 007B4708

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 034280af098ad70affc811a3cc76dc805ca74c9ebc79c7d5fb65f4bc5526cd1a
Instruction ID: e4162e7ba3c18a22048499c80375813d4f30e36200c18cc4dd725e70658807f4
Opcode Fuzzy Hash: 034280af098ad70affc811a3cc76dc805ca74c9ebc79c7d5fb65f4bc5526cd1a
Instruction Fuzzy Hash: 7DB1E1716083029FC720DF28C894BAAB7E5FFA5724F50491DF596C7292EB38D854CB62

Function 007BC476 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 007BC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 007BC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 007BC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 007BC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 007BC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 007BC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 007BC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 007BC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 007BC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 007BC5F0
InternetCloseHandle.WININET(00000000), ref: 007BC5FB

Strings

, xrefs: 007BC575
_______________________________________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstyzzzzzzzzzzzzzzzz{{{{, xrefs: 007BC490

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID: $_______________________________________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstyzzzzzzzzzzzzzzzz{{{{
API String ID: 3800310941-3401428005
Opcode ID: 88bcb4dfe584f11fa5b7f512ec245c5515f3e952626e910bcafe2f931d242bb4
Instruction ID: 81a7616cfb7b1e59becc96e1a9a34aed678664d53beb71bb12981b22f670687e
Opcode Fuzzy Hash: 88bcb4dfe584f11fa5b7f512ec245c5515f3e952626e910bcafe2f931d242bb4
Instruction Fuzzy Hash: 9D514DB1501209BFDB229F60C988BEB7BBCFF08754F14841AF945D6210DB38EA54DB60

Function 007C3FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,007DCC08), ref: 007C40BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 007C40CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,007DCC08), ref: 007C40F2
FreeLibrary.KERNEL32(00000000,?,007DCC08), ref: 007C413E
StringFromGUID2.OLE32(?,?,00000028,?,007DCC08), ref: 007C41A8
SysFreeString.OLEAUT32(00000009), ref: 007C4262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 007C42C8
SysFreeString.OLEAUT32(?), ref: 007C42F2

Strings

kernel32.dll, xrefs: 007C40B6
GetModuleHandleExW, xrefs: 007C40C7

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: 62449a3ba2ac23b46a4dd3066411b8dec4f8a0a811b181dcc62bb3235ff7b594
Instruction ID: d4c2b4e79e725700e460a9af682a4e98699edeb32b162fab5b447e9256e4ff9b
Opcode Fuzzy Hash: 62449a3ba2ac23b46a4dd3066411b8dec4f8a0a811b181dcc62bb3235ff7b594
Instruction Fuzzy Hash: 4F122875A00119EFDB14CF94C898EAEBBB5FF45314F24809DE905AB251D735EE82CBA0

Function 0074326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00811990), ref: 00782F8D
GetMenuItemCount.USER32(00811990), ref: 0078303D
GetCursorPos.USER32(?), ref: 00783081
SetForegroundWindow.USER32(00000000), ref: 0078308A
TrackPopupMenuEx.USER32(00811990,00000000,?,00000000,00000000,00000000), ref: 0078309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 007830A9

Strings

0, xrefs: 0074327D

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 7bc93f0574e1a2f850cf15114faecac6e8218c53ad59cb4578e6ef9e03a89af3
Instruction ID: 52711632df6b56de747895ad2ac159235c07609a9cc2d9c9d280937b029a87c1
Opcode Fuzzy Hash: 7bc93f0574e1a2f850cf15114faecac6e8218c53ad59cb4578e6ef9e03a89af3
Instruction Fuzzy Hash: A3712B70684206BEEB219F24DC4DFAABF75FF05324F204216F629A61E1C7B9AD10DB50

Function 007D6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 007D6DEB

Part of subcall function 00746B57: _wcslen.LIBCMT ref: 00746B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 007D6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 007D6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 007D6E94
DestroyWindow.USER32(?), ref: 007D6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00740000,00000000), ref: 007D6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 007D6EFD
GetDesktopWindow.USER32 ref: 007D6F16
GetWindowRect.USER32(00000000), ref: 007D6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 007D6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 007D6F4D

Part of subcall function 00759944: GetWindowLongW.USER32(?,000000EB), ref: 00759952

Strings

tooltips_class32, xrefs: 007D6E58, 007D6EDD
0, xrefs: 007D6D98

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: d6149f252b1fe0474c35802a435162b813d9479f0ac07727162e2afb8e5d3373
Instruction ID: e7b29e31e3bb7fd77c1a522ce85358b45af3a95953e99614b118f4d92aaabecf
Opcode Fuzzy Hash: d6149f252b1fe0474c35802a435162b813d9479f0ac07727162e2afb8e5d3373
Instruction Fuzzy Hash: 2C716674104245AFDB21CF18DC48EAABBF9FB89304F54451EF99987361C778E906CB16

Function 007D911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00759BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00759BB2

DragQueryPoint.SHELL32(?,?), ref: 007D9147

Part of subcall function 007D7674: ClientToScreen.USER32(?,?), ref: 007D769A
Part of subcall function 007D7674: GetWindowRect.USER32(?,?), ref: 007D7710
Part of subcall function 007D7674: PtInRect.USER32(?,?,007D8B89), ref: 007D7720

SendMessageW.USER32(?,000000B0,?,?), ref: 007D91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 007D91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 007D91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 007D9225
SendMessageW.USER32(?,000000B0,?,?), ref: 007D923E
SendMessageW.USER32(?,000000B1,?,?), ref: 007D9255
SendMessageW.USER32(?,000000B1,?,?), ref: 007D9277
DragFinish.SHELL32(?), ref: 007D927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 007D9371

Strings

@GUI_DRAGID, xrefs: 007D92E9
@GUI_DRAGFILE, xrefs: 007D9320
@GUI_DROPID, xrefs: 007D929E

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 3a0676e7a5cf018323586ee8397363d7aab7b73f5713d1fe44817a533c460b11
Instruction ID: e0f33544de393de88dd4b891355f17c32854f31a41cf673c4adc6b935dcf5b5a
Opcode Fuzzy Hash: 3a0676e7a5cf018323586ee8397363d7aab7b73f5713d1fe44817a533c460b11
Instruction Fuzzy Hash: E0616971108301AFC701DF64DC89DABBBF8FF89350F00491EF695922A1DB34AA49CB62

Function 007D856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 007D8592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007D85A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007D85AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007D85BA
GlobalLock.KERNEL32(00000000), ref: 007D85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007D85D7
GlobalUnlock.KERNEL32(00000000), ref: 007D85E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007D85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007D85F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,007DFC38,?), ref: 007D8611
GlobalFree.KERNEL32(00000000), ref: 007D8621
GetObjectW.GDI32(?,00000018,?), ref: 007D8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 007D8671
DeleteObject.GDI32(?), ref: 007D8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 007D86AF

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 32fdeed01763198c5cbaa92279a543cded61b52fd262b48667e95bee0db238ac
Instruction ID: 9f2db606b0048c2ace924a6f9ffbe2118024dacb5006131ed499b21826655149
Opcode Fuzzy Hash: 32fdeed01763198c5cbaa92279a543cded61b52fd262b48667e95bee0db238ac
Instruction Fuzzy Hash: 49414C71601209AFDB118FA5DC48EAE7BBCFF89711F10815AF906E7260DB38AD01CB25

Function 007B14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 007B1502
VariantCopy.OLEAUT32(?,?), ref: 007B150B
VariantClear.OLEAUT32(?), ref: 007B1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 007B15FB
VarR8FromDec.OLEAUT32(?,?), ref: 007B1657
VariantInit.OLEAUT32(?), ref: 007B1708
SysFreeString.OLEAUT32(?), ref: 007B178C
VariantClear.OLEAUT32(?), ref: 007B17D8
VariantClear.OLEAUT32(?), ref: 007B17E7
VariantInit.OLEAUT32(00000000), ref: 007B1823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 007B1625
Default, xrefs: 007B16AF

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 53475be37c784ecbcdb49454e943a40806173154f46b920bd927002fc7fc7ab7
Instruction ID: ea9fba5ebce09a780581ee598e2109c74265c0632f7bbec92390b3647720ffb4
Opcode Fuzzy Hash: 53475be37c784ecbcdb49454e943a40806173154f46b920bd927002fc7fc7ab7
Instruction Fuzzy Hash: 2BD10372600215EBDB209F64E8A9BF9B7B5BF44700FD08156F806AB180DB7CEC54DBA1

Function 007CB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00749CB3: _wcslen.LIBCMT ref: 00749CBD

Part of subcall function 007CC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,007CB6AE,?,?), ref: 007CC9B5
Part of subcall function 007CC998: _wcslen.LIBCMT ref: 007CC9F1
Part of subcall function 007CC998: _wcslen.LIBCMT ref: 007CCA68
Part of subcall function 007CC998: _wcslen.LIBCMT ref: 007CCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007CB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 007CB772
RegDeleteValueW.ADVAPI32(?,?), ref: 007CB80A
RegCloseKey.ADVAPI32(?), ref: 007CB87E
RegCloseKey.ADVAPI32(?), ref: 007CB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 007CB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 007CB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 007CB922
FreeLibrary.KERNEL32(00000000), ref: 007CB983
RegCloseKey.ADVAPI32(00000000), ref: 007CB994

Strings

advapi32.dll, xrefs: 007CB8ED
RegDeleteKeyExW, xrefs: 007CB8FE

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 2851f435ead61ff7832d340dfb8c2281e1f2535cf949b51ea2dc5cc6787f8fb1
Instruction ID: 4354fd56f9352fff4067ee8457cb8a9bf3f2a008eceec809e809dd6af62731ee
Opcode Fuzzy Hash: 2851f435ead61ff7832d340dfb8c2281e1f2535cf949b51ea2dc5cc6787f8fb1
Instruction Fuzzy Hash: 19C17B71205201EFD715DF24C499F2ABBE5BF84308F14859DF59A8B2A2CB3AEC45CB91

Function 007C255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 007C25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 007C25E8
CreateCompatibleDC.GDI32(?), ref: 007C25F4
SelectObject.GDI32(00000000,?), ref: 007C2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 007C266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 007C26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 007C26D0
SelectObject.GDI32(?,?), ref: 007C26D8
DeleteObject.GDI32(?), ref: 007C26E1
DeleteDC.GDI32(?), ref: 007C26E8
ReleaseDC.USER32(00000000,?), ref: 007C26F3

Strings

(, xrefs: 007C268D

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 5ce7944ba83f266e834b5b35cf6e8145cd55cb0d15c76a3f50c4c8ad9268f230
Instruction ID: 952aa884b8784810ccec9cceac03975ff9ce6b6872c5d8e3e1c4936b0be633b1
Opcode Fuzzy Hash: 5ce7944ba83f266e834b5b35cf6e8145cd55cb0d15c76a3f50c4c8ad9268f230
Instruction Fuzzy Hash: BF61E1B5D0021AEFCB05CFA8D884EAEBBB5FF48310F20852EE955A7251D774A941CF64

Function 0077DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0077DAA1

Part of subcall function 0077D63C: _free.LIBCMT ref: 0077D659
Part of subcall function 0077D63C: _free.LIBCMT ref: 0077D66B
Part of subcall function 0077D63C: _free.LIBCMT ref: 0077D67D
Part of subcall function 0077D63C: _free.LIBCMT ref: 0077D68F
Part of subcall function 0077D63C: _free.LIBCMT ref: 0077D6A1
Part of subcall function 0077D63C: _free.LIBCMT ref: 0077D6B3
Part of subcall function 0077D63C: _free.LIBCMT ref: 0077D6C5
Part of subcall function 0077D63C: _free.LIBCMT ref: 0077D6D7
Part of subcall function 0077D63C: _free.LIBCMT ref: 0077D6E9
Part of subcall function 0077D63C: _free.LIBCMT ref: 0077D6FB
Part of subcall function 0077D63C: _free.LIBCMT ref: 0077D70D
Part of subcall function 0077D63C: _free.LIBCMT ref: 0077D71F
Part of subcall function 0077D63C: _free.LIBCMT ref: 0077D731

_free.LIBCMT ref: 0077DA96

Part of subcall function 007729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0077D7D1,00000000,00000000,00000000,00000000,?,0077D7F8,00000000,00000007,00000000,?,0077DBF5,00000000), ref: 007729DE
Part of subcall function 007729C8: GetLastError.KERNEL32(00000000,?,0077D7D1,00000000,00000000,00000000,00000000,?,0077D7F8,00000000,00000007,00000000,?,0077DBF5,00000000,00000000), ref: 007729F0

_free.LIBCMT ref: 0077DAB8
_free.LIBCMT ref: 0077DACD
_free.LIBCMT ref: 0077DAD8
_free.LIBCMT ref: 0077DAFA
_free.LIBCMT ref: 0077DB0D
_free.LIBCMT ref: 0077DB1B
_free.LIBCMT ref: 0077DB26
_free.LIBCMT ref: 0077DB5E
_free.LIBCMT ref: 0077DB65
_free.LIBCMT ref: 0077DB82
_free.LIBCMT ref: 0077DB9A

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 32cca78672ac480629a2b121d9556a9190482fe1a97df2017637db8b82c34edb
Instruction ID: b4e537cbdfdab0cdcdf0969f08a0e303c9b3c42cf8fabeccf8bc25fb55c9e653
Opcode Fuzzy Hash: 32cca78672ac480629a2b121d9556a9190482fe1a97df2017637db8b82c34edb
Instruction Fuzzy Hash: 50314871604305DFEF31AA78E849B5AB7E8FF00390F15C429E55CE71A2DA38BC818B60

Function 007A365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 007A369C
_wcslen.LIBCMT ref: 007A36A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 007A3797
GetClassNameW.USER32(?,?,00000400), ref: 007A380C
GetDlgCtrlID.USER32(?), ref: 007A385D
GetWindowRect.USER32(?,?), ref: 007A3882
GetParent.USER32(?), ref: 007A38A0
ScreenToClient.USER32(00000000), ref: 007A38A7
GetClassNameW.USER32(?,?,00000100), ref: 007A3921
GetWindowTextW.USER32(?,?,00000400), ref: 007A395D

Strings

%s%u, xrefs: 007A3734

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 3c79ae8ee9b07f32fcd7ff02147d77c946182d2102d22f410eb0ca658508ea68
Instruction ID: 6cb7cef989499c3a3e20fafd35d7c6f008787f8b0cb6f094638aac1e87022972
Opcode Fuzzy Hash: 3c79ae8ee9b07f32fcd7ff02147d77c946182d2102d22f410eb0ca658508ea68
Instruction Fuzzy Hash: F291C371204706EFD719DF24C885BAAF7A8FF85354F008729F999C2190DB38EA55CBA1

Function 007A4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 007A4994
GetWindowTextW.USER32(?,?,00000400), ref: 007A49DA
_wcslen.LIBCMT ref: 007A49EB
CharUpperBuffW.USER32(?,00000000), ref: 007A49F7
_wcsstr.LIBVCRUNTIME ref: 007A4A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 007A4A64
GetWindowTextW.USER32(?,?,00000400), ref: 007A4A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 007A4AE6
GetClassNameW.USER32(?,?,00000400), ref: 007A4B20
GetWindowRect.USER32(?,?), ref: 007A4B8B

Strings

ThumbnailClass, xrefs: 007A4A6F, 007A4AF1

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: cab0bcaee1b19d796aace2ddd9cc22467d9643846633fadd16754ebc01cf64cb
Instruction ID: 3cfb66e9858f06fc925d321e1a76124114bbefc65e458cb7fb878df613989337
Opcode Fuzzy Hash: cab0bcaee1b19d796aace2ddd9cc22467d9643846633fadd16754ebc01cf64cb
Instruction Fuzzy Hash: CC91BF71004205DFDB04CF14C985BAAB7E8FFC5314F04866AFD869A096DB7AED45CBA1

Function 007D8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00759BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00759BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 007D8D5A
GetFocus.USER32 ref: 007D8D6A
GetDlgCtrlID.USER32(00000000), ref: 007D8D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 007D8E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 007D8ECF
GetMenuItemCount.USER32(?), ref: 007D8EEC
GetMenuItemID.USER32(?,00000000), ref: 007D8EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 007D8F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 007D8F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 007D8FA1

Strings

0, xrefs: 007D8E9F

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: a84901531fbc5ce83f3857458a5aa98c4edd3c0514547d338f152c6318702ed8
Instruction ID: d9c653c143df075df796e01dc9a369450e4df598e9149d362a5279e0a7364157
Opcode Fuzzy Hash: a84901531fbc5ce83f3857458a5aa98c4edd3c0514547d338f152c6318702ed8
Instruction Fuzzy Hash: F981BE71504301AFDB50CF24D888AABBBF9FB88714F144A5EF99597391DB78D900CB62

Function 007ABF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00811990,000000FF,00000000,00000030), ref: 007ABFAC
SetMenuItemInfoW.USER32(00811990,00000004,00000000,00000030), ref: 007ABFE1
Sleep.KERNEL32(000001F4), ref: 007ABFF3
GetMenuItemCount.USER32(?), ref: 007AC039
GetMenuItemID.USER32(?,00000000), ref: 007AC056
GetMenuItemID.USER32(?,-00000001), ref: 007AC082
GetMenuItemID.USER32(?,?), ref: 007AC0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 007AC10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007AC124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007AC145

Strings

0, xrefs: 007ABF3D

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 8c9aa563490eb3d0f7782d498765ac370c3b13c133e96d366c70eea0e71d16b0
Instruction ID: 93e5ba9c400db59dbf6c8470a4621fa59a66c725c80bb8e04c52ed77fc685bc6
Opcode Fuzzy Hash: 8c9aa563490eb3d0f7782d498765ac370c3b13c133e96d366c70eea0e71d16b0
Instruction Fuzzy Hash: 5B6172B0A0024AFFDF12CF64DD88AAE7BB8EB86344F144255F911A3251D739AD14CB60

Function 007ADC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 007ADC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 007ADC46
_wcslen.LIBCMT ref: 007ADC50
_wcsstr.LIBVCRUNTIME ref: 007ADCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 007ADCBC

Strings

04090000, xrefs: 007ADCF2
DefaultLangCodepage, xrefs: 007ADD1F
\VarFileInfo\Translation, xrefs: 007ADCB4
StringFileInfo\, xrefs: 007ADC8F
%u.%u.%u.%u, xrefs: 007ADD9A

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 70f332f433d8d37fbf52b221ac1e56c469432c56d0efc2b912e19cd6dab4c73d
Instruction ID: 130b115f3724ca318c8441bb75786db116220d800b88ff5e03ec1ddb7b9445be
Opcode Fuzzy Hash: 70f332f433d8d37fbf52b221ac1e56c469432c56d0efc2b912e19cd6dab4c73d
Instruction Fuzzy Hash: 4A410472A40202BADB11A774DC0BEFF776CEF46720F10416AFD02E6182EB7C9D1186A4

Function 007CCC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 007CCC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 007CCC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 007CCD48

Part of subcall function 007CCC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 007CCCAA
Part of subcall function 007CCC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 007CCCBD
Part of subcall function 007CCC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 007CCCCF
Part of subcall function 007CCC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 007CCD05
Part of subcall function 007CCC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 007CCD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 007CCCF3

Strings

advapi32.dll, xrefs: 007CCCB8
RegDeleteKeyExW, xrefs: 007CCCC9

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 3fa6533ceae46525e02b6cacdedf189946729bcac5ba7f6336ec5076409bd94a
Instruction ID: 8db3bc025c18e02cd40d561a8a647b2a4d13a7e44125dc1babe168700a9724bf
Opcode Fuzzy Hash: 3fa6533ceae46525e02b6cacdedf189946729bcac5ba7f6336ec5076409bd94a
Instruction Fuzzy Hash: 75318571A01129BBDB228B50DC88EFFBB7CEF15740F00416DF90AE6140DB389A45DAB4

Function 007B3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 007B3D40
_wcslen.LIBCMT ref: 007B3D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 007B3D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 007B3DBE
RemoveDirectoryW.KERNEL32(?), ref: 007B3DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 007B3E55
CloseHandle.KERNEL32(00000000), ref: 007B3E60
CloseHandle.KERNEL32(00000000), ref: 007B3E6B

Strings

:, xrefs: 007B3D82
\, xrefs: 007B3D77
\??\%s, xrefs: 007B3D5B

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: f90452e331d092f9426934b821dcd2390627ad3f83b277beff498bb9d119e404
Instruction ID: 184a6c36987ac23a843bf6708784de8226557384ed3af958dc77f2b3da8745ac
Opcode Fuzzy Hash: f90452e331d092f9426934b821dcd2390627ad3f83b277beff498bb9d119e404
Instruction Fuzzy Hash: B7319475A4021AABDB219BA0DC49FEF37BCEF89700F5041B6F505D6160EB789784CB64

Function 007AE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 007AE6B4

Part of subcall function 0075E551: timeGetTime.WINMM(?,?,007AE6D4), ref: 0075E555

Sleep.KERNEL32(0000000A), ref: 007AE6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 007AE705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 007AE727
SetActiveWindow.USER32 ref: 007AE746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 007AE754
SendMessageW.USER32(00000010,00000000,00000000), ref: 007AE773
Sleep.KERNEL32(000000FA), ref: 007AE77E
IsWindow.USER32 ref: 007AE78A
EndDialog.USER32(00000000), ref: 007AE79B

Strings

BUTTON, xrefs: 007AE719

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 58cc93873a86dcc4ff7ad45ccf4cdd1812ec6c233eace6fffceb3a552198cf18
Instruction ID: 46ce6045e1faff55f35d96f1aade233a415c184f9a111f053057981460c7b4e5
Opcode Fuzzy Hash: 58cc93873a86dcc4ff7ad45ccf4cdd1812ec6c233eace6fffceb3a552198cf18
Instruction Fuzzy Hash: 322154B1201205AFEB019F60EC8DB653B7DFBE6749F108526F515821E1DB7DAC20CB29

Function 007AE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00749CB3: _wcslen.LIBCMT ref: 00749CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 007AEA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 007AEA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 007AEA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 007AEA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 007AEAA7

Strings

alias PlayMe, xrefs: 007AEA36
status PlayMe mode, xrefs: 007AEA58
play PlayMe, xrefs: 007AEAA2
open , xrefs: 007AEA0C
play PlayMe wait, xrefs: 007AEA91
close PlayMe, xrefs: 007AEA6E, 007AEA9B

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 91182f3da4555b464c8b47ef52487f15c3c112d4deadf748ea9cb6e6ea1c8cfb
Instruction ID: 17f4d057d70f0191283f2be960cfa8df1614a715c308a4166ffeff3427682537
Opcode Fuzzy Hash: 91182f3da4555b464c8b47ef52487f15c3c112d4deadf748ea9cb6e6ea1c8cfb
Instruction Fuzzy Hash: AA115131A90259B9E720A7A5DC4AEFF6ABCFFD2B00F0445297411E21D1EB781925C5B0

Function 007A9F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 007AA012
SetKeyboardState.USER32(?), ref: 007AA07D
GetAsyncKeyState.USER32(000000A0), ref: 007AA09D
GetKeyState.USER32(000000A0), ref: 007AA0B4
GetAsyncKeyState.USER32(000000A1), ref: 007AA0E3
GetKeyState.USER32(000000A1), ref: 007AA0F4
GetAsyncKeyState.USER32(00000011), ref: 007AA120
GetKeyState.USER32(00000011), ref: 007AA12E
GetAsyncKeyState.USER32(00000012), ref: 007AA157
GetKeyState.USER32(00000012), ref: 007AA165
GetAsyncKeyState.USER32(0000005B), ref: 007AA18E
GetKeyState.USER32(0000005B), ref: 007AA19C

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: cc4abc043c9f2af5b2d5974b510d74a284637150002081e87c3136932ad41baf
Instruction ID: 629751b56888bef0d3c802e815b5c398f88fcd09df882def9c8b0ffa643c08a9
Opcode Fuzzy Hash: cc4abc043c9f2af5b2d5974b510d74a284637150002081e87c3136932ad41baf
Instruction Fuzzy Hash: 8A51CA2190578879FB35DB608415BEBBFB49F53340F08879AD5C2571C2EB5C9A4CC762

Function 007A5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 007A5CE2
GetWindowRect.USER32(00000000,?), ref: 007A5CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 007A5D59
GetDlgItem.USER32(?,00000002), ref: 007A5D69
GetWindowRect.USER32(00000000,?), ref: 007A5D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 007A5DCF
GetDlgItem.USER32(?,000003E9), ref: 007A5DDD
GetWindowRect.USER32(00000000,?), ref: 007A5DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 007A5E31
GetDlgItem.USER32(?,000003EA), ref: 007A5E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 007A5E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 007A5E67

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 3a44dcd3322449cb0ec32278c0900f3b2ce5c4ecfad4a6145f7c3c053307485a
Instruction ID: 0e5269e8c910ce3ea294d74baa7976b94d0570a516843730b0e99b7d8bf5abf1
Opcode Fuzzy Hash: 3a44dcd3322449cb0ec32278c0900f3b2ce5c4ecfad4a6145f7c3c053307485a
Instruction Fuzzy Hash: D3510EB1B00606AFDF19CF68DD89AAEBBB5FB89310F148229F515E7290D7749E04CB50

Function 00758BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00758F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00758BE8,?,00000000,?,?,?,?,00758BBA,00000000,?), ref: 00758FC5

DestroyWindow.USER32(?), ref: 00758C81
KillTimer.USER32(00000000,?,?,?,?,00758BBA,00000000,?), ref: 00758D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00796973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00758BBA,00000000,?), ref: 007969A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00758BBA,00000000,?), ref: 007969B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00758BBA,00000000), ref: 007969D4
DeleteObject.GDI32(00000000), ref: 007969E6

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 44c8add2670d7215c2f5a22202aab5c647f8c3d6ef106c5aa3c09022e632d580
Instruction ID: 6aa9455b0e246d1b01d1b9959b8922c9f73b9d116a52b550edab426a7bb219ec
Opcode Fuzzy Hash: 44c8add2670d7215c2f5a22202aab5c647f8c3d6ef106c5aa3c09022e632d580
Instruction Fuzzy Hash: C861AF30502701DFCF629F14D948BA5BBF1FF40322F14865DE542AA660CBB9AC84CF65

Function 00759838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00759944: GetWindowLongW.USER32(?,000000EB), ref: 00759952

GetSysColor.USER32(0000000F), ref: 00759862

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: b6bc442c8055250f81e4459d2f33dcc8e757faaa6da09edb063a32d935a61db3
Instruction ID: b8c18aeae82c04f0ee85dd91ec92cd954bc2ef783ae8da257ae73e4b421a5bce
Opcode Fuzzy Hash: b6bc442c8055250f81e4459d2f33dcc8e757faaa6da09edb063a32d935a61db3
Instruction Fuzzy Hash: D741B131105654DFDF215F389C88BF93BA5AB06332F148606FEA28B2E1D779AC46DB10

Function 00778D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

.v, xrefs: 0077903A, 00778FD0, 00778FF2

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID:
String ID: .v
API String ID: 0-281053895
Opcode ID: 3797eaf5e90d91cf5cdb808634ae2d70cd566e0a23dabeac6cfa3cdc8b8680d2
Instruction ID: d43defa46c7ffd539ff15311b80f6bf3774a148610201d2f618cd4b7b7802230
Opcode Fuzzy Hash: 3797eaf5e90d91cf5cdb808634ae2d70cd566e0a23dabeac6cfa3cdc8b8680d2
Instruction Fuzzy Hash: 08C1067490524AEFCF11DFA8D849BEDBBB4BF09350F048059E919A7392C7789941CF62

Function 007A96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0078F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 007A9717
LoadStringW.USER32(00000000,?,0078F7F8,00000001), ref: 007A9720

Part of subcall function 00749CB3: _wcslen.LIBCMT ref: 00749CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0078F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 007A9742
LoadStringW.USER32(00000000,?,0078F7F8,00000001), ref: 007A9745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 007A9866

Strings

Line %d (File "%s"):, xrefs: 007A978F
Line %d:, xrefs: 007A97A0
^ ERROR, xrefs: 007A97FB
%s (%d) : ==> %s: %s %s, xrefs: 007A984A
Error: , xrefs: 007A981D

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 108d03fca86c571443fb78da3c2e224ed42b02bca32d60389794a21630070a7a
Instruction ID: 820d2e19a2ccb07b4c2d085a0cefceb722b88264ca4f5e909e395710cfab4abc
Opcode Fuzzy Hash: 108d03fca86c571443fb78da3c2e224ed42b02bca32d60389794a21630070a7a
Instruction Fuzzy Hash: 03412C72800219EADF04EBE0DD8ADEEB778AF55340F500125F605B2192EB3D6F58CB61

Function 007A06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00746B57: _wcslen.LIBCMT ref: 00746B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 007A07A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 007A07BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 007A07DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 007A0804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 007A082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 007A0837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 007A083C

Strings

SOFTWARE\Classes\, xrefs: 007A070E
\CLSID, xrefs: 007A0724
\IPC$, xrefs: 007A0784

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: f47036bb0225239719d9c7d9d3b12c3e8c0af43a53aa6cc25edf79fc3892931d
Instruction ID: 2268fe1bc904a802ee2f91267c45080e15dd943c69052d0ecc920c21dc16a07d
Opcode Fuzzy Hash: f47036bb0225239719d9c7d9d3b12c3e8c0af43a53aa6cc25edf79fc3892931d
Instruction Fuzzy Hash: 5941F772C10229EBDF15EFA4DC998EEB778FF44350F144529E915A31A1EB389E04CBA0

Function 007D3F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 007D403B
CreateCompatibleDC.GDI32(00000000), ref: 007D4042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 007D4055
SelectObject.GDI32(00000000,00000000), ref: 007D405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 007D4068
DeleteDC.GDI32(00000000), ref: 007D4072
GetWindowLongW.USER32(?,000000EC), ref: 007D407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 007D4092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 007D409E

Strings

static, xrefs: 007D3FD3

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 03eb2346e6ac14308cac60d2ac6a49f8a5462d64eec1f5b60cf770ab2d8575ec
Instruction ID: 4f548a45ea48b7453efcfd1866209e09424c56346c1fa12bfd88f20ee7b4c600
Opcode Fuzzy Hash: 03eb2346e6ac14308cac60d2ac6a49f8a5462d64eec1f5b60cf770ab2d8575ec
Instruction Fuzzy Hash: 48315C7250121AABDF229FA4DC09FDA3B78EF0D320F114252FA15A61A0D779D820DB64

Function 007C3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 007C3C5C
CoInitialize.OLE32(00000000), ref: 007C3C8A
CoUninitialize.OLE32 ref: 007C3C94
_wcslen.LIBCMT ref: 007C3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 007C3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 007C3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 007C3F0E
CoGetObject.OLE32(?,00000000,007DFB98,?), ref: 007C3F2D
SetErrorMode.KERNEL32(00000000), ref: 007C3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 007C3FC4
VariantClear.OLEAUT32(?), ref: 007C3FD8

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 964954f3363311531400ab441381e534cabcbc4658c86649de40b6240f4e122d
Instruction ID: cc342bfad01c82448e478bde567871b0d51b0025f3063b6e75e11b44aa32928b
Opcode Fuzzy Hash: 964954f3363311531400ab441381e534cabcbc4658c86649de40b6240f4e122d
Instruction Fuzzy Hash: 50C112B16082059FD700DF68C884E2BBBE9FF89748F14891DF98A9B251D735EE05CB52

Function 007B7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 007B7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 007B7B8F
SHGetDesktopFolder.SHELL32(?), ref: 007B7BA3
CoCreateInstance.OLE32(007DFD08,00000000,00000001,00806E6C,?), ref: 007B7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 007B7C74
CoTaskMemFree.OLE32(?,?), ref: 007B7CCC
SHBrowseForFolderW.SHELL32(?), ref: 007B7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 007B7D7A
CoTaskMemFree.OLE32(00000000), ref: 007B7D81
CoTaskMemFree.OLE32(00000000), ref: 007B7DD6
CoUninitialize.OLE32 ref: 007B7DDC

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: f0c3921ccda33c79b7cb0930b2912aa4494c4216b3e2e68e7b7e478c0ca6d3a7
Instruction ID: 13ae68e0b79a2903aa745cf56b291c1961d66c723aba113f52bf393da73b0867
Opcode Fuzzy Hash: f0c3921ccda33c79b7cb0930b2912aa4494c4216b3e2e68e7b7e478c0ca6d3a7
Instruction Fuzzy Hash: BAC12A75A04109EFCB14DFA4C898EAEBBB9FF48304B148499E91ADB361D734ED45CB90

Function 007D541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 007D5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007D5515
CharNextW.USER32(00000158), ref: 007D5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 007D5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 007D559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007D55AC

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 948b0ad72a5ed3122df4a2b0f70a21aee5bab0169565b094a4483b11290c157b
Instruction ID: c422f85ebfc121b5e6b5bf63e4b1f48930476f3a1fa192465bddbd4af8847c5c
Opcode Fuzzy Hash: 948b0ad72a5ed3122df4a2b0f70a21aee5bab0169565b094a4483b11290c157b
Instruction Fuzzy Hash: D8617C30901609EFDF119F54CC84EFE7BB9EF09760F14814AF925A6390D7789A80DB61

Function 0079FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0079FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0079FB08
VariantInit.OLEAUT32(?), ref: 0079FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0079FB3A
VariantCopy.OLEAUT32(?,?), ref: 0079FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0079FBA1
VariantClear.OLEAUT32(?), ref: 0079FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0079FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0079FBCC
VariantClear.OLEAUT32(?), ref: 0079FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0079FBE9

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 090e9f9becd9006f89bb67b6348af27867788b6e1ffe39247206f0d5d576a11d
Instruction ID: 1c1ae583857dde14b92dcb45b5ffd22c9a102be115c4461c01460a4cdbc53b3c
Opcode Fuzzy Hash: 090e9f9becd9006f89bb67b6348af27867788b6e1ffe39247206f0d5d576a11d
Instruction Fuzzy Hash: 1E415F75A0021ADFCF01DF68D8589AEBBB9EF08354F00C069E945E7261CB38A945CBA0

Function 007A9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 007A9CA1
GetAsyncKeyState.USER32(000000A0), ref: 007A9D22
GetKeyState.USER32(000000A0), ref: 007A9D3D
GetAsyncKeyState.USER32(000000A1), ref: 007A9D57
GetKeyState.USER32(000000A1), ref: 007A9D6C
GetAsyncKeyState.USER32(00000011), ref: 007A9D84
GetKeyState.USER32(00000011), ref: 007A9D96
GetAsyncKeyState.USER32(00000012), ref: 007A9DAE
GetKeyState.USER32(00000012), ref: 007A9DC0
GetAsyncKeyState.USER32(0000005B), ref: 007A9DD8
GetKeyState.USER32(0000005B), ref: 007A9DEA

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 1d34ceddeb8751aa7ceb54a9681a8f85dada0f12c21b85dab1d56df7192797b9
Instruction ID: c182027c1fc281cb0d222429692d05dae8da5ba868f4951962110e8f5e0545c0
Opcode Fuzzy Hash: 1d34ceddeb8751aa7ceb54a9681a8f85dada0f12c21b85dab1d56df7192797b9
Instruction Fuzzy Hash: 5241D934604BCA69FF31867084443B5BEB06F93354F04825AD7C6565C2E7AC99E4C7A2

Function 007C055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 007C05BC
inet_addr.WSOCK32(?), ref: 007C061C
gethostbyname.WSOCK32(?), ref: 007C0628
IcmpCreateFile.IPHLPAPI ref: 007C0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 007C06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 007C06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 007C07B9
WSACleanup.WSOCK32 ref: 007C07BF

Strings

Ping, xrefs: 007C0676

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: f2c5928620981db9b7dbf2002c2b57944b39481cc70fbaca19ca9384f38b758d
Instruction ID: e14757f2c1d51b8bb833b0015ee3313f756df1f50fa3c76a6610495152c2c9b6
Opcode Fuzzy Hash: f2c5928620981db9b7dbf2002c2b57944b39481cc70fbaca19ca9384f38b758d
Instruction Fuzzy Hash: CE918B75608201DFD724CF19C889F1ABBE0AF48318F1485ADE4699B6A2C738ED45CFD1

Function 007C8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 007C8CF3

Part of subcall function 007A8E54: _wcslen.LIBCMT ref: 007A8E77

_wcslen.LIBCMT ref: 007C8D4E
_wcslen.LIBCMT ref: 007C8D9C
_wcslen.LIBCMT ref: 007C8DDC
_wcslen.LIBCMT ref: 007C8E6E

Strings

stdcall, xrefs: 007C8DD6, 007C8DDB
cdecl, xrefs: 007C8D48, 007C8D4D
none, xrefs: 007C8E65, 007C8E6A
winapi, xrefs: 007C8D96, 007C8D9B

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: b191f01380723a9c22462a6efe454ce96b4edf66df558eaff39ed8ac4d99e38d
Instruction ID: f8945b2e03a38c9c82fb164078aeaec2dc0c3cf9d8b2aa6c624632a4d2ef81b4
Opcode Fuzzy Hash: b191f01380723a9c22462a6efe454ce96b4edf66df558eaff39ed8ac4d99e38d
Instruction Fuzzy Hash: 32519031A00116ABCB54DF6CC940ABEB7A5BF65720B24422DE926E72C5EB39ED40C791

Function 007C372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 007C3774
CoUninitialize.OLE32 ref: 007C377F
CoCreateInstance.OLE32(?,00000000,00000017,007DFB78,?), ref: 007C37D9
IIDFromString.OLE32(?,?), ref: 007C384C
VariantInit.OLEAUT32(?), ref: 007C38E4
VariantClear.OLEAUT32(?), ref: 007C3936

Strings

Failed to create object, xrefs: 007C37E4, 007C389A
Invalid parameter, xrefs: 007C3865
NULL Pointer assignment, xrefs: 007C381E

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 7c52f2efcca24c28cba6c68f39c5ac991454b9a86421df4ea5e3151852f3e7b4
Instruction ID: 5efd99dd24d6fb508bc1439e016ab87a51a78e59e5a7c949ffdefd223e01259b
Opcode Fuzzy Hash: 7c52f2efcca24c28cba6c68f39c5ac991454b9a86421df4ea5e3151852f3e7b4
Instruction Fuzzy Hash: 28618C70608301AFD311DF54C889F6ABBE4EF49715F00890DF9859B291C778EE48CBA6

Function 007B3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 007B33CF

Part of subcall function 00749CB3: _wcslen.LIBCMT ref: 00749CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 007B33F0

Strings

"%s" (%d) : ==> %s:, xrefs: 007B3522
Line %d (File "%s"):, xrefs: 007B3443, 007B345C
Incorrect parameters to object property !, xrefs: 007B34AB
^ ERROR , xrefs: 007B349E
Error: , xrefs: 007B34D1
"%s" (%d) : ==> %s:%s%s, xrefs: 007B3504

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: f4531f35013ca81896f87de800381f478ae980aab7a906376d81bd38b7429b76
Instruction ID: d207d8bf039fb014ed830008e364eb862c3a7990a613563019baaaeb36f0cec8
Opcode Fuzzy Hash: f4531f35013ca81896f87de800381f478ae980aab7a906376d81bd38b7429b76
Instruction Fuzzy Hash: 75516272900109EADF15EBA0DD4AEEEB778FF04340F104165F61972192EB396F68DB61

Function 007AB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 007AB5FC
_wcslen.LIBCMT ref: 007AB608
_wcslen.LIBCMT ref: 007AB64D
_wcslen.LIBCMT ref: 007AB68C
_wcslen.LIBCMT ref: 007AB6C7

Strings

APPEND, xrefs: 007AB6C1, 007AB6C6
REMOVE, xrefs: 007AB602, 007AB607
EXISTS, xrefs: 007AB686, 007AB68B
KEYS, xrefs: 007AB647, 007AB64C

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: a6e336bbd363e92da50ab3f725e8d2c0c29d85038f5798bb7f97ba822bd75ee8
Instruction ID: e4b90b9ed86606c08e281e73a68a2e4b071853a8011f63d5b24e02aca441c97e
Opcode Fuzzy Hash: a6e336bbd363e92da50ab3f725e8d2c0c29d85038f5798bb7f97ba822bd75ee8
Instruction Fuzzy Hash: 0441E632A00126DACB105FBD8C905BEB7A5FFE2754B24432AE521DB286F739DD81C790

Function 007B5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 007B53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 007B5416
GetLastError.KERNEL32 ref: 007B5420
SetErrorMode.KERNEL32(00000000,READY), ref: 007B54A7

Strings

UNKNOWN, xrefs: 007B5444
NOTREADY, xrefs: 007B544B
READY, xrefs: 007B5460, 007B5468
READONLY, xrefs: 007B5452
INVALID, xrefs: 007B5459

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 043b862627dfb776f8992ff4148201d42eade6e7a40abb968445164fd09b3a71
Instruction ID: b06d15b98b4d473d5c9b2607b7a0c2eaf161af8ae36ab26f9c1bf291fe1eae59
Opcode Fuzzy Hash: 043b862627dfb776f8992ff4148201d42eade6e7a40abb968445164fd09b3a71
Instruction Fuzzy Hash: 5431E175A00245DFD711DF68C888BEABBB4FF05305F188065E901CB292EB79DD86CB90

Function 007D3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 007D3C79
SetMenu.USER32(?,00000000), ref: 007D3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007D3D10
IsMenu.USER32(?), ref: 007D3D24
CreatePopupMenu.USER32 ref: 007D3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 007D3D5B
DrawMenuBar.USER32 ref: 007D3D63

Strings

F, xrefs: 007D3D4E
0, xrefs: 007D3C54

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: b30af45d6a44990371e43cf33e4ed880dd762769d5ab48b2d38e7cb09e0c4bea
Instruction ID: 4ca12418efdd1716c5d9edecf076dbc996302de98401d6b20bb1560d4f0f21e3
Opcode Fuzzy Hash: b30af45d6a44990371e43cf33e4ed880dd762769d5ab48b2d38e7cb09e0c4bea
Instruction Fuzzy Hash: C0418DB5A0120AEFDF14CF64E844ADA7BB6FF49310F24402AF94697360D734AA10CF55

Function 007A1EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00749CB3: _wcslen.LIBCMT ref: 00749CBD

Part of subcall function 007A3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 007A3CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 007A1F64
GetDlgCtrlID.USER32 ref: 007A1F6F
GetParent.USER32 ref: 007A1F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 007A1F8E
GetDlgCtrlID.USER32(?), ref: 007A1F97
GetParent.USER32(?), ref: 007A1FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 007A1FAE

Strings

ListBox, xrefs: 007A1F21
ComboBox, xrefs: 007A1EEC

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: aa85e21cbd7ade1cc69e284fda04a904bc082e73ce835c575f91829bbb94be06
Instruction ID: 0c764a10ef4939e0d8b3e49696961debe5bc9e25414300bc5b8f7b36045ca65e
Opcode Fuzzy Hash: aa85e21cbd7ade1cc69e284fda04a904bc082e73ce835c575f91829bbb94be06
Instruction Fuzzy Hash: BC21AF74901214AFDF05AFA0DC899EEBBB8EF46310F404296B961A72D1CB3C9904DB64

Function 007A1FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00749CB3: _wcslen.LIBCMT ref: 00749CBD

Part of subcall function 007A3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 007A3CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 007A2043
GetDlgCtrlID.USER32 ref: 007A204E
GetParent.USER32 ref: 007A206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 007A206D
GetDlgCtrlID.USER32(?), ref: 007A2076
GetParent.USER32(?), ref: 007A208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 007A208D

Strings

ListBox, xrefs: 007A2002
ComboBox, xrefs: 007A1FCD

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 39d5b472ea0789a86f622775538c6d46bd79b08eed2fbacc9590cc8a0dd9ee28
Instruction ID: 51c5601ac07e054191b4aba0c122333255e21fc651a7e278e30e6a27f40bf313
Opcode Fuzzy Hash: 39d5b472ea0789a86f622775538c6d46bd79b08eed2fbacc9590cc8a0dd9ee28
Instruction Fuzzy Hash: F521BE75900214BBCF11AFA4CC89AEFBBB8EF06300F104546B961A72A2CB7D9915DB60

Function 007D3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 007D3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 007D3AA0
GetWindowLongW.USER32(?,000000F0), ref: 007D3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 007D3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 007D3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 007D3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 007D3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 007D3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 007D3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 007D3C13

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: eb6c2110d1c834c363182c93d93793ebd36cd1468dab4116ffe95a4155639b36
Instruction ID: 00e0ae36394d927cda80a6486ae9502e498c3a393c00eafc94eea87e8c98967c
Opcode Fuzzy Hash: eb6c2110d1c834c363182c93d93793ebd36cd1468dab4116ffe95a4155639b36
Instruction Fuzzy Hash: 8C615B75900248AFDB10DFA8CC85EEE77B8EF09710F10419AFA15A7391D778AA45DB60

Function 00772C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00772C94

Part of subcall function 007729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0077D7D1,00000000,00000000,00000000,00000000,?,0077D7F8,00000000,00000007,00000000,?,0077DBF5,00000000), ref: 007729DE
Part of subcall function 007729C8: GetLastError.KERNEL32(00000000,?,0077D7D1,00000000,00000000,00000000,00000000,?,0077D7F8,00000000,00000007,00000000,?,0077DBF5,00000000,00000000), ref: 007729F0

_free.LIBCMT ref: 00772CA0
_free.LIBCMT ref: 00772CAB
_free.LIBCMT ref: 00772CB6
_free.LIBCMT ref: 00772CC1
_free.LIBCMT ref: 00772CCC
_free.LIBCMT ref: 00772CD7
_free.LIBCMT ref: 00772CE2
_free.LIBCMT ref: 00772CED
_free.LIBCMT ref: 00772CFB

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b72744bb31048a7941af21af6d304bb0109d078a7583f412e0863e869deb9ec8
Instruction ID: 698f91c9c539250380f450a1a35ecbb737ea27621cf0bcbd70b4e063c5410076
Opcode Fuzzy Hash: b72744bb31048a7941af21af6d304bb0109d078a7583f412e0863e869deb9ec8
Instruction Fuzzy Hash: BA118376100208EFCF02EF64D846C9D7BA5BF09390F5584A5FA586B232D635EA919F90

Function 007B7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 007B7FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 007B7FC1
GetFileAttributesW.KERNEL32(?), ref: 007B7FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 007B8005
SetCurrentDirectoryW.KERNEL32(?), ref: 007B8017
SetCurrentDirectoryW.KERNEL32(?), ref: 007B8060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 007B80B0

Strings

*.*, xrefs: 007B8066

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 03017b8c7716464212b82fec6f9452fe13993e90569125f86775386c7ae37f88
Instruction ID: 98b70bd36cc692c9f6026a7a739d31eaac486f088456b59c426f9a5b7a73b71b
Opcode Fuzzy Hash: 03017b8c7716464212b82fec6f9452fe13993e90569125f86775386c7ae37f88
Instruction Fuzzy Hash: 94818072508201DBCB68EF14C844AAEB3E8BFC8350F544C5AF885DB250EB39ED49CB52

Function 00745BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00745C7A

Part of subcall function 00745D0A: GetClientRect.USER32(?,?), ref: 00745D30
Part of subcall function 00745D0A: GetWindowRect.USER32(?,?), ref: 00745D71
Part of subcall function 00745D0A: ScreenToClient.USER32(?,?), ref: 00745D99

GetDC.USER32 ref: 007846F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00784708
SelectObject.GDI32(00000000,00000000), ref: 00784716
SelectObject.GDI32(00000000,00000000), ref: 0078472B
ReleaseDC.USER32(?,00000000), ref: 00784733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 007847C4

Strings

U, xrefs: 00784693

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 60955abc78ee15e241750f2af5cd7639b6c8fbcc42d8c943252391bfd95fa211
Instruction ID: c8ecd5c74bdcdf8848d6a8a9185b67bf7aad0781aa63fdc33350e7595a5d95fb
Opcode Fuzzy Hash: 60955abc78ee15e241750f2af5cd7639b6c8fbcc42d8c943252391bfd95fa211
Instruction Fuzzy Hash: 8B71F331500207DFCF21AF64C984AFA7BB5FF4A320F18426AED555A2A6D3799C41DF60

Function 007B359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 007B35E4

Part of subcall function 00749CB3: _wcslen.LIBCMT ref: 00749CBD

LoadStringW.USER32(00812390,?,00000FFF,?), ref: 007B360A

Strings

"%s" (%d) : ==> %s:, xrefs: 007B3742
Line %d (File "%s"):, xrefs: 007B366B
^ ERROR, xrefs: 007B36C9
Error: , xrefs: 007B36EF
"%s" (%d) : ==> %s:%s%s, xrefs: 007B3724

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 287cd90a5797978e03abf076938cb98afe734b443d1ce8fba791e4c212404dc4
Instruction ID: c5136f42a66b96be97dae73d77b0ea171e239be5499a72b97d2d116ba90bd475
Opcode Fuzzy Hash: 287cd90a5797978e03abf076938cb98afe734b443d1ce8fba791e4c212404dc4
Instruction Fuzzy Hash: 94514171900209FADF15EBA0DC8AEEEBB78EF04300F144125F61572191EB395B99DF61

Function 007D8B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00759BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00759BB2

Part of subcall function 0075912D: GetCursorPos.USER32(?), ref: 00759141
Part of subcall function 0075912D: ScreenToClient.USER32(00000000,?), ref: 0075915E
Part of subcall function 0075912D: GetAsyncKeyState.USER32(00000001), ref: 00759183
Part of subcall function 0075912D: GetAsyncKeyState.USER32(00000002), ref: 0075919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 007D8B6B
ImageList_EndDrag.COMCTL32 ref: 007D8B71
ReleaseCapture.USER32 ref: 007D8B77
SetWindowTextW.USER32(?,00000000), ref: 007D8C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 007D8C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 007D8CFF

Strings

@GUI_DRAGFILE, xrefs: 007D8C9A
@GUI_DROPID, xrefs: 007D8C51

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: ad1596e2a84f080ee82e35556e66f797336c552014ce2f46dd2c991f273e7aa6
Instruction ID: e7342fe30a0515c76c6b54c66fdd4914761a2d8e362fadddcdf87c63d080b9bd
Opcode Fuzzy Hash: ad1596e2a84f080ee82e35556e66f797336c552014ce2f46dd2c991f273e7aa6
Instruction Fuzzy Hash: 19517C71105204EFD700DF24DC5ABAA77F8FB84710F40066AFA96972E1DB789944CB62

Function 007BC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 007BC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 007BC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 007BC2CA
GetLastError.KERNEL32 ref: 007BC322
SetEvent.KERNEL32(?), ref: 007BC336
InternetCloseHandle.WININET(00000000), ref: 007BC341

Strings

, xrefs: 007BC2BB

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: d2fc313d0321ab075152d01fb94bbb0bf3a04d26e6bf403973f49df4bbfc842b
Instruction ID: a5bb3f5f2f0c0b65df0f95a969cfe7daf594c7f1ed8c0feeeab3e3dcbe0e9294
Opcode Fuzzy Hash: d2fc313d0321ab075152d01fb94bbb0bf3a04d26e6bf403973f49df4bbfc842b
Instruction Fuzzy Hash: D0316BB1601208AFD7229F648C88BEB7BFCEB49754B54C51EF486D7200DB38DD049B65

Function 007A989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00783AAF,?,?,Bad directive syntax error,007DCC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 007A98BC
LoadStringW.USER32(00000000,?,00783AAF,?), ref: 007A98C3

Part of subcall function 00749CB3: _wcslen.LIBCMT ref: 00749CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 007A9987

Strings

Line %d (File "%s"):, xrefs: 007A992D
., xrefs: 007A996D
Line %d:, xrefs: 007A9912
Error: , xrefs: 007A9955
%s (%d) : ==> %s.: %s %s, xrefs: 007A98F1

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: a71ac70843b8a94c13ffd1747e8063d715b9fe0c7e773a4efd698c8d26b2dd3c
Instruction ID: 220c0079d0992ec6024e826e173543595a2100f4293e1a2a267f4f23260a235f
Opcode Fuzzy Hash: a71ac70843b8a94c13ffd1747e8063d715b9fe0c7e773a4efd698c8d26b2dd3c
Instruction Fuzzy Hash: 4321943280021AFBDF15EF90CC0AEEE7779FF14300F044415F619651A2EB79A628DB60

Function 007A209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 007A20AB
GetClassNameW.USER32(00000000,?,00000100), ref: 007A20C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 007A214D

Strings

details, xrefs: 007A20FB
list, xrefs: 007A212F
SHELLDLL_DefView, xrefs: 007A20CC
largeicons, xrefs: 007A20E1
smallicons, xrefs: 007A2115

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 734c2662bab92ae9095d6ed58899fbf449f62f8bc807a84f2bee6855d6241423
Instruction ID: 49d5bea2962146c6202d984b00064029d1c66229a84b2550a0dd909b8a7b9f06
Opcode Fuzzy Hash: 734c2662bab92ae9095d6ed58899fbf449f62f8bc807a84f2bee6855d6241423
Instruction Fuzzy Hash: 8C11E77668470BF9FA012228DC1ADA7379CDB46724B204216FA05E51D2FA6DA8435A14

Function 0077CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0077CEB7
_free.LIBCMT ref: 0077CF22
_free.LIBCMT ref: 0077CF48
_free.LIBCMT ref: 0077CF71
_free.LIBCMT ref: 0077CFA9
_free.LIBCMT ref: 0077CFDA
_free.LIBCMT ref: 0077D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0077D09C
_free.LIBCMT ref: 0077D0B5

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 1c3504adefb53728e076568a2a8a7eeb8beb06517760ea4166a54b55e281af89
Instruction ID: e961d325183987ba13bed51b02f70731810443449e5b1800f0c76e69b42f8960
Opcode Fuzzy Hash: 1c3504adefb53728e076568a2a8a7eeb8beb06517760ea4166a54b55e281af89
Instruction Fuzzy Hash: 53612972904300AFDF22AFB4AC45AAD7BA9AF093D0F04C56EF94DA7242D63D9D41DB50

Function 007D50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 007D5186
ShowWindow.USER32(?,00000000), ref: 007D51C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 007D51CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 007D51D1

Part of subcall function 007D6FBA: DeleteObject.GDI32(00000000), ref: 007D6FE6

GetWindowLongW.USER32(?,000000F0), ref: 007D520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 007D521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 007D524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 007D5287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 007D5296

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 1f0515c9581630e5082f4b6d51b068e89b068ea09f7b7b52b21e78d43dcc42f2
Instruction ID: a88a5c2841c54646a1e209267a37bd2255e708edc96f377839baf1c68dde6cb3
Opcode Fuzzy Hash: 1f0515c9581630e5082f4b6d51b068e89b068ea09f7b7b52b21e78d43dcc42f2
Instruction Fuzzy Hash: F5515C70A41A09EFEF209F28CC49BD93B75BB05361F148113FA25963E0C77EA998DB41

Function 00758B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00796890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 007968A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 007968B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 007968D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 007968F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00758874,00000000,00000000,00000000,000000FF,00000000), ref: 00796901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0079691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00758874,00000000,00000000,00000000,000000FF,00000000), ref: 0079692D

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: fc87e527da6cd7fcba5ed61671cc1b07f07bac00a11f00319730511730197ae4
Instruction ID: 1525625095009458766529dd4f395ca79c93912612f6011fcfe45a8816fbdb09
Opcode Fuzzy Hash: fc87e527da6cd7fcba5ed61671cc1b07f07bac00a11f00319730511730197ae4
Instruction Fuzzy Hash: 3F516AB0600209EFDF208F24DC55FAA7BB9FF44761F104619F952A62A0DBB8E954DB50

Function 007BC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 007BC182
GetLastError.KERNEL32 ref: 007BC195
SetEvent.KERNEL32(?), ref: 007BC1A9

Part of subcall function 007BC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 007BC272
Part of subcall function 007BC253: GetLastError.KERNEL32 ref: 007BC322
Part of subcall function 007BC253: SetEvent.KERNEL32(?), ref: 007BC336
Part of subcall function 007BC253: InternetCloseHandle.WININET(00000000), ref: 007BC341

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: cc8ff679d3c6aab129f007f6721abbe3b716d2b15238888569ca0ba7f6dbe7a7
Instruction ID: 21288530d7bcef55539a91149070a585ddd445fbf0e3635025eb74e1256da144
Opcode Fuzzy Hash: cc8ff679d3c6aab129f007f6721abbe3b716d2b15238888569ca0ba7f6dbe7a7
Instruction Fuzzy Hash: 97317A71201606AFDB229FA5DC48BE6BBF9FF58310B04C41EF956C6610D738E814DBA0

Function 007A25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 007A3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 007A3A57
Part of subcall function 007A3A3D: GetCurrentThreadId.KERNEL32 ref: 007A3A5E
Part of subcall function 007A3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,007A25B3), ref: 007A3A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 007A25BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 007A25DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 007A25DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 007A25E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 007A2601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 007A2605
MapVirtualKeyW.USER32(00000025,00000000), ref: 007A260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 007A2623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 007A2627

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 1e34eee2058fe0d4f773f94150de25a9e15afa496394cbd63f843fe425592cfd
Instruction ID: 729be01ebbf80715187f5eba83a353e40c76e06a4a42a572375971ff35f260a4
Opcode Fuzzy Hash: 1e34eee2058fe0d4f773f94150de25a9e15afa496394cbd63f843fe425592cfd
Instruction Fuzzy Hash: 2501B571790224FBFB106B689C8EF593F69DB8AB11F104142F354AE0D1CDE65845CA69

Function 007A1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,007A1449,?,?,00000000), ref: 007A180C
HeapAlloc.KERNEL32(00000000,?,007A1449,?,?,00000000), ref: 007A1813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,007A1449,?,?,00000000), ref: 007A1828
GetCurrentProcess.KERNEL32(?,00000000,?,007A1449,?,?,00000000), ref: 007A1830
DuplicateHandle.KERNEL32(00000000,?,007A1449,?,?,00000000), ref: 007A1833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,007A1449,?,?,00000000), ref: 007A1843
GetCurrentProcess.KERNEL32(007A1449,00000000,?,007A1449,?,?,00000000), ref: 007A184B
DuplicateHandle.KERNEL32(00000000,?,007A1449,?,?,00000000), ref: 007A184E
CreateThread.KERNEL32(00000000,00000000,007A1874,00000000,00000000,00000000), ref: 007A1868

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 080edc0142152def17b9b9559a552def9303491df65a228dbd00a390630fbb2a
Instruction ID: 7605a324f994ed99ac1d5ebc40dd81b49e957be3ab2a7e9691b50647d38bd286
Opcode Fuzzy Hash: 080edc0142152def17b9b9559a552def9303491df65a228dbd00a390630fbb2a
Instruction Fuzzy Hash: 4601BFB5241319BFE711AB65DC4EF573B6CEB89B11F418511FA05DB191C6759C00CB24

Function 00773E80 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00773F0B
__alldvrm.LIBCMT ref: 0077410C
__alldvrm.LIBCMT ref: 0077412E

Strings

}}v, xrefs: 00773E8A
}}v, xrefs: 00773E96, 00773EF1, 00773F0A, 00774090
}}v, xrefs: 007740CD

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID: }}v$}}v$}}v
API String ID: 1036877536-3206339712
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: a2e20217ef5263fffe90a847349a859e62e5daa294db5802733237c4250f6c16
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: B4A13672E003869FDF15DE18C8917AEBBE4EF613D0F1481ADE5999B282C33C8981C751

Function 007CA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 007AD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 007AD501
Part of subcall function 007AD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 007AD50F
Part of subcall function 007AD4DC: CloseHandle.KERNELBASE(00000000), ref: 007AD5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 007CA16D
GetLastError.KERNEL32 ref: 007CA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 007CA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 007CA268
GetLastError.KERNEL32(00000000), ref: 007CA273
CloseHandle.KERNEL32(00000000), ref: 007CA2C4

Strings

SeDebugPrivilege, xrefs: 007CA18F

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 417c0b183da354cf700758770e23f549a84596f6ed622f42e584cb0cdfcb0ac3
Instruction ID: 889027cc4cffc0aaf4fd8840ba34323085ac547f53c6c5b23f90560f1f2fa78d
Opcode Fuzzy Hash: 417c0b183da354cf700758770e23f549a84596f6ed622f42e584cb0cdfcb0ac3
Instruction Fuzzy Hash: 5F61AF71205256AFD720DF18C498F15BBE1BF84318F18848CE4668B7A3C77AEC45CB92

Function 007D3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 007D3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 007D393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 007D3954
_wcslen.LIBCMT ref: 007D3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 007D39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 007D39F4

Strings

SysListView32, xrefs: 007D38F7

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 76d71e34cd7f28780e1ed197238903975248c05bf6ffbc2d18b0bbfc4f3b36f3
Instruction ID: 6d13c0924579322b0cf9abda9a623cef0098cba5f6c464f3d44256f8b95550c8
Opcode Fuzzy Hash: 76d71e34cd7f28780e1ed197238903975248c05bf6ffbc2d18b0bbfc4f3b36f3
Instruction Fuzzy Hash: A841A471A00219ABEF219F64CC49BEA7BB9FF08354F100567F958E7281D779E984CB90

Function 007ABC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007ABCFD
IsMenu.USER32(00000000), ref: 007ABD1D
CreatePopupMenu.USER32 ref: 007ABD53
GetMenuItemCount.USER32(01855120), ref: 007ABDA4
InsertMenuItemW.USER32(01855120,?,00000001,00000030), ref: 007ABDCC

Strings

0, xrefs: 007ABCA8
2, xrefs: 007ABD37

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: bb5e868f974e7f8b68b691ea79641cabe1ae2575178a44f05fec45a5598e1dfa
Instruction ID: 8024b64c55bdd0b1a8b780cedcec190b828fb24ada3fbfa2d861578aa19e3836
Opcode Fuzzy Hash: bb5e868f974e7f8b68b691ea79641cabe1ae2575178a44f05fec45a5598e1dfa
Instruction Fuzzy Hash: 9A519070B00205DBDF15CFB8D888BAEBBF4BF86314F248359E4119B292D778A945CB61

Function 00762D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00762D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00762D53
_ValidateLocalCookies.LIBCMT ref: 00762DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00762E0C
_ValidateLocalCookies.LIBCMT ref: 00762E61

Strings

csm, xrefs: 00762DF6
&Hv, xrefs: 00762DFE, 00762E07, 00762E18

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &Hv$csm
API String ID: 1170836740-404954504
Opcode ID: c23d7ae45b230b96efa000ded3e5be55cf157a3663ceaed705c48685625f5bac
Instruction ID: b1bfb52fbe3c11f32fde6795beecfca157bdd97b86ea3daad55b20b8d32b28d0
Opcode Fuzzy Hash: c23d7ae45b230b96efa000ded3e5be55cf157a3663ceaed705c48685625f5bac
Instruction Fuzzy Hash: 5241B534B01609EBCF50DF68C849A9EBBB5BF45324F148155EC166B393D739AA02CBD0

Function 007AC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 007AC913

Strings

question, xrefs: 007AC8CC
warning, xrefs: 007AC8FC
blank, xrefs: 007AC895
info, xrefs: 007AC8B4
stop, xrefs: 007AC8E4

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 09f5be72deefbb0dce2a4fb594c4d18212895bd3e1396a68a94fd77f62805752
Instruction ID: 3074055beafcffa6b1627a5718d1e4e4721e944adc81727577aa7bb7fbb53c2b
Opcode Fuzzy Hash: 09f5be72deefbb0dce2a4fb594c4d18212895bd3e1396a68a94fd77f62805752
Instruction Fuzzy Hash: 17112B36689306FEE7065B549C82CAB27DCEF56324B10422EF900E62C2E7AC6D005269

Function 007ADE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 007ADE42
gethostname.WSOCK32(?,00000100), ref: 007ADE5C
gethostbyname.WSOCK32(?), ref: 007ADE69
inet_ntoa.WSOCK32(?), ref: 007ADEAB
_strcat.LIBCMT ref: 007ADEB9
WSACleanup.WSOCK32 ref: 007ADEDE

Strings

0.0.0.0, xrefs: 007ADE87

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: a65924f679f50ddee5585464f6124416400e16d88c9bff9af975b88864eab238
Instruction ID: 5957718b04000b00514c9284aa551b9f97c41326db2ca38c73a5e46fd2e793fc
Opcode Fuzzy Hash: a65924f679f50ddee5585464f6124416400e16d88c9bff9af975b88864eab238
Instruction Fuzzy Hash: 3B112471908205EFCB30AB309C0AEEE77BCDB52311F04026AF406A6091EF7C9E80CA60

Function 007D9F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00759BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00759BB2

GetSystemMetrics.USER32(0000000F), ref: 007D9FC7
GetSystemMetrics.USER32(0000000F), ref: 007D9FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 007DA224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 007DA242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 007DA263
ShowWindow.USER32(00000003,00000000), ref: 007DA282
InvalidateRect.USER32(?,00000000,00000001), ref: 007DA2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 007DA2CA

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: abd5e6ab291e9255f56a176c8e4ad108902a0c3ad9efffd219aa56548a87701f
Instruction ID: 16d5c25046acd23747343cb8b27e9d256a35f2cc21b193aad9bed99a32b1351b
Opcode Fuzzy Hash: abd5e6ab291e9255f56a176c8e4ad108902a0c3ad9efffd219aa56548a87701f
Instruction Fuzzy Hash: E3B1BA31600219EBDF14CF69C9857AE7BB2FF88711F08C06AED459B395D739A940CB61

Function 007AED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 007AED2A
_wcslen.LIBCMT ref: 007AED3B
_wcslen.LIBCMT ref: 007AED79
_wcslen.LIBCMT ref: 007AEDAF
_wcslen.LIBCMT ref: 007AEDDF
_wcslen.LIBCMT ref: 007AEDEF
_wcslen.LIBCMT ref: 007AEE2B
_wcslen.LIBCMT ref: 007AEE5A

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 0fcf85e64fe26f51cbf6415a8b17ca9463a2b2325a2cedbb075fdb25250aab60
Instruction ID: 62bb388ee87661c2ddb9f39ee34bc6acf8e2dddc5ee57385a1eb828e8e649a73
Opcode Fuzzy Hash: 0fcf85e64fe26f51cbf6415a8b17ca9463a2b2325a2cedbb075fdb25250aab60
Instruction Fuzzy Hash: AB41B366D10218F9DB11EBF4888E9CFB7A8AF45310F508562F915F3122FB38E645C3A5

Function 0075F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0079682C,00000004,00000000,00000000), ref: 0075F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0079682C,00000004,00000000,00000000), ref: 0079F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0079682C,00000004,00000000,00000000), ref: 0079F454

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 15a78a349d183e9850e38929c9edb0a29aea91f853346f6c0df79acc8ffc58c2
Instruction ID: 52713499517eea1aecb95bf49a05c862068efd366e9758bcd6bf3c0ad5e8d42e
Opcode Fuzzy Hash: 15a78a349d183e9850e38929c9edb0a29aea91f853346f6c0df79acc8ffc58c2
Instruction Fuzzy Hash: 02412D31604AC0BADB359B28D88C7EA7BA5AF46352F14803DE947D2560C7BEB488C711

Function 007D2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 007D2D1B
GetDC.USER32(00000000), ref: 007D2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 007D2D2E
ReleaseDC.USER32(00000000,00000000), ref: 007D2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 007D2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 007D2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,007D5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 007D2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 007D2DE1

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: dfe5bcf7eaca685fc22b083b3aa28ac1d004a0090faa40684cf564f63e2235ee
Instruction ID: ecfadf6bb61f5c44d6c3539516f2fc82e2e3da2575a0182a38d823744e08a9b7
Opcode Fuzzy Hash: dfe5bcf7eaca685fc22b083b3aa28ac1d004a0090faa40684cf564f63e2235ee
Instruction Fuzzy Hash: 04317F72202214BFEB154F50CC89FEB3BB9EF19715F048056FE089A291D6799C51C7A4

Function 007A5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 007A5637
_memcmp.LIBVCRUNTIME ref: 007A5659
_memcmp.LIBVCRUNTIME ref: 007A5671
_memcmp.LIBVCRUNTIME ref: 007A5684
_memcmp.LIBVCRUNTIME ref: 007A569E
_memcmp.LIBVCRUNTIME ref: 007A56B1
_memcmp.LIBVCRUNTIME ref: 007A56C9
_memcmp.LIBVCRUNTIME ref: 007A56E4

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 0ba49f33f4ecb4cd14723bc12a62e635443a8343d6baa0d9af70134bf105b649
Instruction ID: baf1689b1f086e6440f939d8ad70e80d47383c7c291d7684c446d43b33f4f50e
Opcode Fuzzy Hash: 0ba49f33f4ecb4cd14723bc12a62e635443a8343d6baa0d9af70134bf105b649
Instruction Fuzzy Hash: 0521DEA1741A05F7D21455214E86FFB336CAFA2784F844121FD175A741F72CED2082B5

Function 007C4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 007C502E, 007C5383
Not an Object type, xrefs: 007C5007

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 4ef8be68a26e580a46ab8bf91588fc2ea9135e35e61a6a7e2f1817ee149e87bc
Instruction ID: 3ce7a064e0ea8bdc7dbd85a92c3643b81aa20aca70e3fdab64ab1ce87a6531f3
Opcode Fuzzy Hash: 4ef8be68a26e580a46ab8bf91588fc2ea9135e35e61a6a7e2f1817ee149e87bc
Instruction Fuzzy Hash: 74D19F71A0060A9FDF10CFA8C885FAEB7B5BF48344F14816DE915AB281E775ED81CB90

Function 00781522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,007817FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 007815CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,007817FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00781651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,007817FB,?,007817FB,00000000,00000000,?,00000000,?,?,?,?), ref: 007816E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,007817FB,00000000,00000000,?,00000000,?,?,?,?), ref: 007816FB

Part of subcall function 00773820: RtlAllocateHeap.NTDLL(00000000,?,00811444,?,0075FDF5,?,?,0074A976,00000010,00811440,007413FC,?,007413C6,?,00741129), ref: 00773852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,007817FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00781777
__freea.LIBCMT ref: 007817A2
__freea.LIBCMT ref: 007817AE

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 36b11b43d1454a2f9f8f7646c1a2bed9ad8c5116bab12069c447fefb7d22e618
Instruction ID: 584fb257989832260ee45bbee8b280bdf0c6888db3f29f7c01d001491e556b72
Opcode Fuzzy Hash: 36b11b43d1454a2f9f8f7646c1a2bed9ad8c5116bab12069c447fefb7d22e618
Instruction Fuzzy Hash: 5991D571E402169ADF20AE74CC85EEE7BBD9F49350F984659E806E7141EB3DCD42CB60

Function 007C4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 007C4648
VariantInit.OLEAUT32(?), ref: 007C4749
VariantClear.OLEAUT32(?), ref: 007C4753
VariantClear.OLEAUT32(?), ref: 007C47B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 007C472C
Null Object assignment in FOR..IN loop, xrefs: 007C45D8, 007C4706, 007C47BE

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 66828ac228911d0f0b3dbce5b9464d0975d8739dd52290144df7236fe02bab5d
Instruction ID: a75b4def97749dafe234bd5ce48c7fd53b1a11ee8136369cf5a065b246dda474
Opcode Fuzzy Hash: 66828ac228911d0f0b3dbce5b9464d0975d8739dd52290144df7236fe02bab5d
Instruction Fuzzy Hash: 2E917E71A00219ABDF20CFA4CC58FAEBBB8EF46714F10855DF915AB280D7789945CBA0

Function 007B1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 007B125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 007B1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 007B12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 007B12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 007B135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 007B13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 007B1430

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: a3580b173b0d26c4ffc0ee8403ad965e94983bd5f56054ae6c5d9431de8c4576
Instruction ID: f658eed0c2d910736429e6b90d35293b7a9ab2a76d45d5b1adb9ba8413408fc9
Opcode Fuzzy Hash: a3580b173b0d26c4ffc0ee8403ad965e94983bd5f56054ae6c5d9431de8c4576
Instruction Fuzzy Hash: 6991B171A002199FDB01DFA4C8A8BFE77B5FF45725F918029E900E7291D77DA941CB90

Function 0075948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 5b7a0a70a6257ad782ea20852429b09f9e74898613435a59096c310f71ffbb23
Instruction ID: 1c7f4fb0b82d8e456617089086f8d346ce4a2bda0bcb979f3710965067f8b665
Opcode Fuzzy Hash: 5b7a0a70a6257ad782ea20852429b09f9e74898613435a59096c310f71ffbb23
Instruction Fuzzy Hash: 95914871D00219EFCB15CFA9CC88AEEBBB8FF48321F148155EA15B7291D378A955CB60

Function 007C3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 007C396B
CharUpperBuffW.USER32(?,?), ref: 007C3A7A
_wcslen.LIBCMT ref: 007C3A8A
VariantClear.OLEAUT32(?), ref: 007C3C1F

Part of subcall function 007B0CDF: VariantInit.OLEAUT32(00000000), ref: 007B0D1F
Part of subcall function 007B0CDF: VariantCopy.OLEAUT32(?,?), ref: 007B0D28
Part of subcall function 007B0CDF: VariantClear.OLEAUT32(?), ref: 007B0D34

Strings

AUTOIT.ERROR, xrefs: 007C3A80, 007C3A85
Incorrect Parameter format, xrefs: 007C39A6, 007C3BA1

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 4753fb54e9a66122cb9c93b2bf826a0d2fe4a0481ce8fd5ff25a9f818b68ba32
Instruction ID: 810144e87c0869dde662765ac38dd35511cb10e676f3f3c357ba2dd24270f74b
Opcode Fuzzy Hash: 4753fb54e9a66122cb9c93b2bf826a0d2fe4a0481ce8fd5ff25a9f818b68ba32
Instruction Fuzzy Hash: 9F9123756083059FC714DF28C485A6AB7E4FF89314F14892EF88A9B351DB39EE05CB92

Function 007C4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 007A000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0079FF41,80070057,?,?,?,007A035E), ref: 007A002B
Part of subcall function 007A000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0079FF41,80070057,?,?), ref: 007A0046
Part of subcall function 007A000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0079FF41,80070057,?,?), ref: 007A0054
Part of subcall function 007A000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0079FF41,80070057,?), ref: 007A0064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 007C4C51
_wcslen.LIBCMT ref: 007C4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 007C4DCF
CoTaskMemFree.OLE32(?), ref: 007C4DDA

Strings

NULL Pointer assignment, xrefs: 007C4E23, 007C4E52

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 0a9a6ff1648a86b1b815b6a1257f48ae7d7d330589950425d3f04605ac23f6fb
Instruction ID: 2d988936a85d2885d4dfe3db06804c44ced4471d277c60507098c4d2f391201a
Opcode Fuzzy Hash: 0a9a6ff1648a86b1b815b6a1257f48ae7d7d330589950425d3f04605ac23f6fb
Instruction Fuzzy Hash: 9E911471D00219EBDF11DFA4C895EEEB7B8BF08310F10856EE915A7251EB389A44CFA0

Function 007D20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 007D2183
GetMenuItemCount.USER32(00000000), ref: 007D21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 007D21DD
_wcslen.LIBCMT ref: 007D2213
GetMenuItemID.USER32(?,?), ref: 007D224D
GetSubMenu.USER32(?,?), ref: 007D225B

Part of subcall function 007A3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 007A3A57
Part of subcall function 007A3A3D: GetCurrentThreadId.KERNEL32 ref: 007A3A5E
Part of subcall function 007A3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,007A25B3), ref: 007A3A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 007D22E3

Part of subcall function 007AE97B: Sleep.KERNEL32 ref: 007AE9F3

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 7b2e0655a365e17773855e740e280975b82742bfd4df70f92fece4554fa41c90
Instruction ID: ed9a579c7f966b1d915fd42a2ad301a6f8f3f2947af293aad2db4e57fffc7f5e
Opcode Fuzzy Hash: 7b2e0655a365e17773855e740e280975b82742bfd4df70f92fece4554fa41c90
Instruction Fuzzy Hash: 20718D35A00205EFCB11DF64C845AAEBBF5FF98310F15845AE816AB352DB39ED42CB90

Function 007D7E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(018551C0), ref: 007D7F37
IsWindowEnabled.USER32(018551C0), ref: 007D7F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 007D801E
SendMessageW.USER32(018551C0,000000B0,?,?), ref: 007D8051
IsDlgButtonChecked.USER32(?,?), ref: 007D8089
GetWindowLongW.USER32(018551C0,000000EC), ref: 007D80AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 007D80C3

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 64f0d73f4f901f7f031e6b27d8bba06920b3d675e6112a0f5d97ce5a1a77e535
Instruction ID: 68685654bb759c529c4f094ae9eacc6495144a7e5566899342a5810a08f5e23b
Opcode Fuzzy Hash: 64f0d73f4f901f7f031e6b27d8bba06920b3d675e6112a0f5d97ce5a1a77e535
Instruction Fuzzy Hash: 56719074608204AFEF399F54C884FEABBB9FF09300F14445BE95597361DB39A946CB21

Function 007AAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 007AAEF9
GetKeyboardState.USER32(?), ref: 007AAF0E
SetKeyboardState.USER32(?), ref: 007AAF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 007AAF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 007AAFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 007AAFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 007AB020

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 2b81eb8fe86f52d1f694a81d4b849ffec2aba917d94b76bffe41e50c5eb6f021
Instruction ID: b9751fe5a6ccb146309ba4d79d3ffcabf646a6785c4979f0c1f902aaa3253523
Opcode Fuzzy Hash: 2b81eb8fe86f52d1f694a81d4b849ffec2aba917d94b76bffe41e50c5eb6f021
Instruction Fuzzy Hash: 2E51A1A06047D57DFB3643348C49BBBBEA95B87304F08868AF1D9554C3C39CE884D751

Function 007AACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 007AAD19
GetKeyboardState.USER32(?), ref: 007AAD2E
SetKeyboardState.USER32(?), ref: 007AAD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 007AADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 007AADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 007AAE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 007AAE38

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 692e284881721fd767a7dc95c18767c512540c3472b0331bfcfb3cbd33ea6896
Instruction ID: 7a99c86170cd8534fa1d40e24e962e85f7444fb8595365b44057152d8e9076b1
Opcode Fuzzy Hash: 692e284881721fd767a7dc95c18767c512540c3472b0331bfcfb3cbd33ea6896
Instruction Fuzzy Hash: 6751B6A16087D53DFB3783348C56B7ABEA96B87301F088689E1D5568C3D39CEC84D762

Function 0077542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00783CD6,?,?,?,?,?,?,?,?,00775BA3,?,?,00783CD6,?,?), ref: 00775470
__fassign.LIBCMT ref: 007754EB
__fassign.LIBCMT ref: 00775506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00783CD6,00000005,00000000,00000000), ref: 0077552C
WriteFile.KERNEL32(?,00783CD6,00000000,00775BA3,00000000,?,?,?,?,?,?,?,?,?,00775BA3,?), ref: 0077554B
WriteFile.KERNEL32(?,?,00000001,00775BA3,00000000,?,?,?,?,?,?,?,?,?,00775BA3,?), ref: 00775584

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 452fb43b5b5cf18ad93a110dc9da28aaf42c90dc0b2baa4d3669602490b339e8
Instruction ID: 3ccd4079b70d274fd6ce114d8fc84cf863297224339c66b30ecec73445933d48
Opcode Fuzzy Hash: 452fb43b5b5cf18ad93a110dc9da28aaf42c90dc0b2baa4d3669602490b339e8
Instruction Fuzzy Hash: 7251C3709007499FDF11CFA8D845AEEBBFAEF08340F14811AF559E7291E7749A51CB60

Function 007C10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 007C304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 007C307A
Part of subcall function 007C304E: _wcslen.LIBCMT ref: 007C309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 007C1112
WSAGetLastError.WSOCK32 ref: 007C1121
WSAGetLastError.WSOCK32 ref: 007C11C9
closesocket.WSOCK32(00000000), ref: 007C11F9

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 194aa18d1041240ff4b4babb9532e2cacf7295d7bfcea94792589450afb91eb4
Instruction ID: bd5cba04b6a6f1ecb4d0eaa204be9c5dcaf8de52f281dced591e0073678802dc
Opcode Fuzzy Hash: 194aa18d1041240ff4b4babb9532e2cacf7295d7bfcea94792589450afb91eb4
Instruction Fuzzy Hash: B641C231600209AFDB119F14C888FA9B7E9EF46324F58816DFD159B292C77CED41CBA5

Function 007ACF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 007ADDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,007ACF22,?), ref: 007ADDFD

Part of subcall function 007ADDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,007ACF22,?), ref: 007ADE16

lstrcmpiW.KERNEL32(?,?), ref: 007ACF45
MoveFileW.KERNEL32(?,?), ref: 007ACF7F
_wcslen.LIBCMT ref: 007AD005
_wcslen.LIBCMT ref: 007AD01B
SHFileOperationW.SHELL32(?), ref: 007AD061

Strings

\*.*, xrefs: 007ACFF3

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 65a6104e2918cc8d8d1ce8c764075f473c7c69f620d4eda49dc5bf39040cf9fc
Instruction ID: ccfd7a4b8d6dd1f0359f7edcc3a936b2e0189d51ea882fb6c88fdc3b4ab4ae6e
Opcode Fuzzy Hash: 65a6104e2918cc8d8d1ce8c764075f473c7c69f620d4eda49dc5bf39040cf9fc
Instruction Fuzzy Hash: EA4166729452199FDF13EFA4C985ADEB7B9AF49380F0001E6E505EB141EB38AB44CB50

Function 007D2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 007D2E1C
GetWindowLongW.USER32(?,000000F0), ref: 007D2E4F
GetWindowLongW.USER32(?,000000F0), ref: 007D2E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 007D2EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 007D2EE0
GetWindowLongW.USER32(?,000000F0), ref: 007D2EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 007D2F0B

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 1719af54094cb34dbf0514c0c56d1895007a132691dd344af08f37d8ff85ba2d
Instruction ID: dd1d5e8375c694d7e54a999b0a52e176230b17cb882c62698e8b5cb144da4458
Opcode Fuzzy Hash: 1719af54094cb34dbf0514c0c56d1895007a132691dd344af08f37d8ff85ba2d
Instruction Fuzzy Hash: FC311530645141AFDB21CF18DC88FA537F4FBAA710F1441A6FA148B2B2CB75E842DB04

Function 007A7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 007A7769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 007A778F
SysAllocString.OLEAUT32(00000000), ref: 007A7792
SysAllocString.OLEAUT32(?), ref: 007A77B0
SysFreeString.OLEAUT32(?), ref: 007A77B9
StringFromGUID2.OLE32(?,?,00000028), ref: 007A77DE
SysAllocString.OLEAUT32(?), ref: 007A77EC

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 58675a047b273ff965ccd49fe6b21e9b5c16d4ea72dccb88aacc5ee1fbccb13d
Instruction ID: ce2d7580227013bebf67ee6e0e4fd15fd6e7b27cf2123bcbb907ea123d8d73a8
Opcode Fuzzy Hash: 58675a047b273ff965ccd49fe6b21e9b5c16d4ea72dccb88aacc5ee1fbccb13d
Instruction Fuzzy Hash: D421C17660921AAFDF14DFA8CC88CFB77ACEB4A3647008226FA04DB150D678DC41C764

Function 007A77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 007A7842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 007A7868
SysAllocString.OLEAUT32(00000000), ref: 007A786B
SysAllocString.OLEAUT32 ref: 007A788C
SysFreeString.OLEAUT32 ref: 007A7895
StringFromGUID2.OLE32(?,?,00000028), ref: 007A78AF
SysAllocString.OLEAUT32(?), ref: 007A78BD

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 85d99ccb53fbe856a5d780f0c470c98dfad57fa593bed6bdae0df8cedefe01b7
Instruction ID: 5248a629c5a84c74adf9c0b4930c2e2a8c81ace272ece9f3a4bbc00829d042ae
Opcode Fuzzy Hash: 85d99ccb53fbe856a5d780f0c470c98dfad57fa593bed6bdae0df8cedefe01b7
Instruction Fuzzy Hash: 9721A171609205AFDB149FA8DC8CDAA77ECEF4A3607108225F915CB2A5D67CDC41CB68

Function 007B04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 007B04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 007B052E

Strings

nul, xrefs: 007B0567

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 4938838731f1441b90a71f141453c7eaeeab7b437c7f4b9f45c2c0a360bc070f
Instruction ID: e0d0077e30f11d859473e6570202cfb5ccea2bb5e5e0c45c03f18cbebda97e06
Opcode Fuzzy Hash: 4938838731f1441b90a71f141453c7eaeeab7b437c7f4b9f45c2c0a360bc070f
Instruction Fuzzy Hash: 21212BB5500206AFDB309F69DC49F9A77B4BF45724F204A19E8A1D62E0E7749960CFA0

Function 007B05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 007B05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 007B0601

Strings

nul, xrefs: 007B0639

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 90708db1a67fb5e5fb5f24b2f65868800183c8b029f9b8381d9c19d2379af34f
Instruction ID: 1fd8f558bedb1c9f40ff188bd020b7cf155774f8d66d3d6fb09f85a041e5e2ee
Opcode Fuzzy Hash: 90708db1a67fb5e5fb5f24b2f65868800183c8b029f9b8381d9c19d2379af34f
Instruction Fuzzy Hash: 52217F755003169BDB209F698C08BDB77F4BF95724F204B19E8A1E72E0D7749860CB94

Function 007D40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0074600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0074604C
Part of subcall function 0074600E: GetStockObject.GDI32(00000011), ref: 00746060
Part of subcall function 0074600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0074606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 007D4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 007D411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 007D412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 007D4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 007D4145

Strings

Msctls_Progress32, xrefs: 007D40E3

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 0479a0c429c4a0ee56d46c4720e146d11c163a38299d328d6781a70b40017a9f
Instruction ID: 27fa139d2d521b1796a548070ea1cbc59343e05bf64b7901e0015d05c53c881e
Opcode Fuzzy Hash: 0479a0c429c4a0ee56d46c4720e146d11c163a38299d328d6781a70b40017a9f
Instruction Fuzzy Hash: EB1193B115011DBFEF119F64CC85EE77F6DEF08798F004111B718A2190C6769C21DBA4

Function 0077D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0077D7A3: _free.LIBCMT ref: 0077D7CC

_free.LIBCMT ref: 0077D82D

Part of subcall function 007729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0077D7D1,00000000,00000000,00000000,00000000,?,0077D7F8,00000000,00000007,00000000,?,0077DBF5,00000000), ref: 007729DE
Part of subcall function 007729C8: GetLastError.KERNEL32(00000000,?,0077D7D1,00000000,00000000,00000000,00000000,?,0077D7F8,00000000,00000007,00000000,?,0077DBF5,00000000,00000000), ref: 007729F0

_free.LIBCMT ref: 0077D838
_free.LIBCMT ref: 0077D843
_free.LIBCMT ref: 0077D897
_free.LIBCMT ref: 0077D8A2
_free.LIBCMT ref: 0077D8AD
_free.LIBCMT ref: 0077D8B8

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 92c46a8665066abc1a0f6263ccea0503a407af604eda8ab0d5ecc91ea522039f
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 7E114271540704EADD31BFB4CC4BFCBBBEC6F40780F448815B2ADA60A3DA69B9454A90

Function 007ADA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 007ADA74
LoadStringW.USER32(00000000), ref: 007ADA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 007ADA91
LoadStringW.USER32(00000000), ref: 007ADA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 007ADADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 007ADAB9

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 1fac117a199b32d76704aefb8a37e0f5de650b9dd6630d9a4fab1c27b33d0dbe
Instruction ID: 39bb2d905452db3e272654c47f0339a2ab2475cf3b8d137229bae1b8effe314a
Opcode Fuzzy Hash: 1fac117a199b32d76704aefb8a37e0f5de650b9dd6630d9a4fab1c27b33d0dbe
Instruction Fuzzy Hash: F00186F2500219BFE7519BA0DD89EEB377CEB09301F408592B706E2041EA789E848F78

Function 007B096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0184E9E8,0184E9E8), ref: 007B097B
EnterCriticalSection.KERNEL32(0184E9C8,00000000), ref: 007B098D
TerminateThread.KERNEL32(?,000001F6), ref: 007B099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 007B09A9
CloseHandle.KERNEL32(?), ref: 007B09B8
InterlockedExchange.KERNEL32(0184E9E8,000001F6), ref: 007B09C8
LeaveCriticalSection.KERNEL32(0184E9C8), ref: 007B09CF

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 9fbd13a78034ea17a4d102184273ff7a3568a8657508b2b372e260f1c7e723d0
Instruction ID: 5e859b95b8f90801984185c0a3c2908aa9685f0cf2c8266da60510c174f96a01
Opcode Fuzzy Hash: 9fbd13a78034ea17a4d102184273ff7a3568a8657508b2b372e260f1c7e723d0
Instruction Fuzzy Hash: E2F0EC32483A13BBD7525FA4EE8DBD6BB39FF05702F406126F242908A1C779A465CF94

Function 007C1C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 007C1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 007C1DE1
WSAGetLastError.WSOCK32 ref: 007C1DF2
htons.WSOCK32(?,?,?,?,?), ref: 007C1EDB
inet_ntoa.WSOCK32(?), ref: 007C1E8C

Part of subcall function 007A39E8: _strlen.LIBCMT ref: 007A39F2

Part of subcall function 007C3224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,007BEC0C), ref: 007C3240

_strlen.LIBCMT ref: 007C1F35

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 4e775f31a394faf37de4b6568f53413bb645f33a751048bc2c537eff6c5fe552
Instruction ID: 3153805fa1a1312aa7cfc424b401d2ae770e3cd53c426f35336037be71195b22
Opcode Fuzzy Hash: 4e775f31a394faf37de4b6568f53413bb645f33a751048bc2c537eff6c5fe552
Instruction Fuzzy Hash: 3AB1CF31204340EFC324DF24C899F2AB7A5AF86318F94855CF4565B2A3DB79ED46CB92

Function 00745D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00745D30
GetWindowRect.USER32(?,?), ref: 00745D71
ScreenToClient.USER32(?,?), ref: 00745D99
GetClientRect.USER32(?,?), ref: 00745ED7
GetWindowRect.USER32(?,?), ref: 00745EF8

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: a1b1c13e79304485da679a24385d0c295e3fe6158d02b89307e863e748fcea49
Instruction ID: 89c262993ad97f0ca7c646fe62337ed8a1699e58a16c5bd7b4d566aaf110b7b1
Opcode Fuzzy Hash: a1b1c13e79304485da679a24385d0c295e3fe6158d02b89307e863e748fcea49
Instruction Fuzzy Hash: CBB17835A00B4ADBDB10DFA9C4807EEB7F1FF58310F14851AE8AAD7250DB38AA51DB54

Function 007701B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 007700BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007700D6
__allrem.LIBCMT ref: 007700ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0077010B
__allrem.LIBCMT ref: 00770122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00770140

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 352f69e39eed34db66f26e574fb727fd00c7174e131dd5b454a4b51ef1277c03
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 36811872A00706DFEB24AF28DC45BAF73E9AF413A4F24853AF515D7681E778D9008B90

Function 007761FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,007682D9,007682D9,?,?,?,0077644F,00000001,00000001,8BE85006), ref: 00776258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0077644F,00000001,00000001,8BE85006,?,?,?), ref: 007762DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 007763D8
__freea.LIBCMT ref: 007763E5

Part of subcall function 00773820: RtlAllocateHeap.NTDLL(00000000,?,00811444,?,0075FDF5,?,?,0074A976,00000010,00811440,007413FC,?,007413C6,?,00741129), ref: 00773852

__freea.LIBCMT ref: 007763EE
__freea.LIBCMT ref: 00776413

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: eba3e2565af6155a5e4678156cd5cb0e2b326a9a5d54fd1cb69da0cd472312be
Instruction ID: ff4d0b23f323811c1139f709b2f4f3df9ca5523ef80e8f6bbeb0e93845bd9138
Opcode Fuzzy Hash: eba3e2565af6155a5e4678156cd5cb0e2b326a9a5d54fd1cb69da0cd472312be
Instruction Fuzzy Hash: A251E172600A16ABEF258F64CC85EBF77AAEF44790F148629FC09D6145EB38DC40C7A0

Function 007CBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00749CB3: _wcslen.LIBCMT ref: 00749CBD

Part of subcall function 007CC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,007CB6AE,?,?), ref: 007CC9B5
Part of subcall function 007CC998: _wcslen.LIBCMT ref: 007CC9F1
Part of subcall function 007CC998: _wcslen.LIBCMT ref: 007CCA68
Part of subcall function 007CC998: _wcslen.LIBCMT ref: 007CCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007CBCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 007CBD25
RegCloseKey.ADVAPI32(00000000), ref: 007CBD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 007CBD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 007CBDF3
RegCloseKey.ADVAPI32(?), ref: 007CBDFF

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 090c451155e27b8ba0a52c9ae9dcc25470f7296f20c08bff083c2f62b77d14f0
Instruction ID: 2b8ec22725310e0e917bd74ea12d64994fa7655b0cf9c0cf5b338fde9a18fe16
Opcode Fuzzy Hash: 090c451155e27b8ba0a52c9ae9dcc25470f7296f20c08bff083c2f62b77d14f0
Instruction Fuzzy Hash: 2381A070208241EFD714DF24C886E2ABBE5FF84308F14895DF55A4B2A2DB35ED45CB92

Function 0079F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0079F7B9
SysAllocString.OLEAUT32(00000001), ref: 0079F860
VariantCopy.OLEAUT32(0079FA64,00000000), ref: 0079F889
VariantClear.OLEAUT32(0079FA64), ref: 0079F8AD
VariantCopy.OLEAUT32(0079FA64,00000000), ref: 0079F8B1
VariantClear.OLEAUT32(?), ref: 0079F8BB

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: ff861b310f7fd5ba6495ca7ca89de4518e3cd09718eaf9149e3afefa90707f45
Instruction ID: 1f46cdcfb529b8169afe4d7a00d464f1f95c8658a4919439173a2c525634612a
Opcode Fuzzy Hash: ff861b310f7fd5ba6495ca7ca89de4518e3cd09718eaf9149e3afefa90707f45
Instruction Fuzzy Hash: E151D431601310FACF64AF65E899B69B3A8EF45320B248467E905DF291DB78DC40C796

Function 007B910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00747620: _wcslen.LIBCMT ref: 00747625

Part of subcall function 00746B57: _wcslen.LIBCMT ref: 00746B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 007B94E5
_wcslen.LIBCMT ref: 007B9506
_wcslen.LIBCMT ref: 007B952D
GetSaveFileNameW.COMDLG32(00000058), ref: 007B9585

Strings

X, xrefs: 007B9412

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: e86eeb5f6e87c5d0a9f6c37d613c9cabda846e0801d5098f008484d68429fe65
Instruction ID: 9630144811b1fb5f66a7f2989999cf26cb344721672617217d21744b2478b461
Opcode Fuzzy Hash: e86eeb5f6e87c5d0a9f6c37d613c9cabda846e0801d5098f008484d68429fe65
Instruction Fuzzy Hash: 24E1B131508340DFD724DF24C885BAAB7E4BF85310F14896DFA999B2A2DB39DD05CB92

Function 0075920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00759BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00759BB2

BeginPaint.USER32(?,?,?), ref: 00759241
GetWindowRect.USER32(?,?), ref: 007592A5
ScreenToClient.USER32(?,?), ref: 007592C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 007592D3
EndPaint.USER32(?,?,?,?,?), ref: 00759321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 007971EA

Part of subcall function 00759339: BeginPath.GDI32(00000000), ref: 00759357

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 11e14c6bfc4a94382e797370735f83a0cc18bd423ebc4716f3918e6542518663
Instruction ID: 047a80f3c61d946256644489403436de0b2762d8df0b76f7631f496fce37d7ba
Opcode Fuzzy Hash: 11e14c6bfc4a94382e797370735f83a0cc18bd423ebc4716f3918e6542518663
Instruction Fuzzy Hash: 5541AB70105205EFDB11DF24D888FEA7BB8FF95321F144229FAA4872A1C7799849DB61

Function 007B07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 007B080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 007B0847
EnterCriticalSection.KERNEL32(?), ref: 007B0863
LeaveCriticalSection.KERNEL32(?), ref: 007B08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 007B08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 007B0921

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: b63d509afb4d02cd9df8e8f0e3c830a45a6bfeb08f6a970caf49cf114bcd1bc8
Instruction ID: 3522ea1ce9fa7922d8c22a42052f4e7d5350a3327aa87a9d3d788beedb82fb28
Opcode Fuzzy Hash: b63d509afb4d02cd9df8e8f0e3c830a45a6bfeb08f6a970caf49cf114bcd1bc8
Instruction Fuzzy Hash: 6E419C71900205EFDF15AF54DC85AAA77B8FF04300F1080A9ED009A297D779EE64DBA4

Function 007D81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0079F3AB,00000000,?,?,00000000,?,0079682C,00000004,00000000,00000000), ref: 007D824C
EnableWindow.USER32(?,00000000), ref: 007D8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 007D82D1
ShowWindow.USER32(?,00000004), ref: 007D82E5
EnableWindow.USER32(?,00000001), ref: 007D830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 007D832F

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 9f78a0dbc74051c4c84486ad32b4fd4cec6e44e11f635febd40f78d629e9b7da
Instruction ID: 42d89b32e987a0bca50cb7e4ab185e1d32301c320f428190aa3299a57af46f67
Opcode Fuzzy Hash: 9f78a0dbc74051c4c84486ad32b4fd4cec6e44e11f635febd40f78d629e9b7da
Instruction Fuzzy Hash: 3B419434601644AFDF51CF25CC99BE87BF0FF0A715F1882AAE6584B362CB35A841CB52

Function 007A4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 007A4C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 007A4CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 007A4CEA
_wcslen.LIBCMT ref: 007A4D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 007A4D10
_wcsstr.LIBVCRUNTIME ref: 007A4D1A

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: dbbe68b824aba4abb8fca6fadea02d42dcb3a03d075138eaf4651c317a2aad67
Instruction ID: 5e170a1a13ba9fa97bf58b694b7c7548a22bdb14f8ad8e18dd6185e13ab99889
Opcode Fuzzy Hash: dbbe68b824aba4abb8fca6fadea02d42dcb3a03d075138eaf4651c317a2aad67
Instruction Fuzzy Hash: E121F932605201BBEB155B399C4AE7B7BACDFC6750F10817AF909CA191DEAADC01D6A0

Function 007B581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00743AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00743A97,?,?,00742E7F,?,?,?,00000000), ref: 00743AC2

_wcslen.LIBCMT ref: 007B587B
CoInitialize.OLE32(00000000), ref: 007B5995
CoCreateInstance.OLE32(007DFCF8,00000000,00000001,007DFB68,?), ref: 007B59AE
CoUninitialize.OLE32 ref: 007B59CC

Strings

.lnk, xrefs: 007B5876, 007B58C1, 007B5985

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: b9ca3289e84730995db17f35fe4de064abb820d7c5d1579666ff5169f400eea3
Instruction ID: ea6a4c0ccdded84477871868246ec58f95e30528f0ce46c823a5094b4b0c9a50
Opcode Fuzzy Hash: b9ca3289e84730995db17f35fe4de064abb820d7c5d1579666ff5169f400eea3
Instruction Fuzzy Hash: 89D153B1608701DFC714DF24C484A6ABBE5EF89710F14895DF88A9B361DB39EC45CB92

Function 007A175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 007A0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 007A0FCA
Part of subcall function 007A0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 007A0FD6
Part of subcall function 007A0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 007A0FE5
Part of subcall function 007A0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 007A0FEC
Part of subcall function 007A0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 007A1002

GetLengthSid.ADVAPI32(?,00000000,007A1335), ref: 007A17AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 007A17BA
HeapAlloc.KERNEL32(00000000), ref: 007A17C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 007A17DA
GetProcessHeap.KERNEL32(00000000,00000000,007A1335), ref: 007A17EE
HeapFree.KERNEL32(00000000), ref: 007A17F5

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 7bc3489bf014625d967d4a6255e7ad805f28058b9b8e2a0a0e5fe00b82222758
Instruction ID: dc486fea8116964fee5ef06a5db5dd987c91564c8f90fde22f5bb731f8dfdf7d
Opcode Fuzzy Hash: 7bc3489bf014625d967d4a6255e7ad805f28058b9b8e2a0a0e5fe00b82222758
Instruction Fuzzy Hash: 6511BE72501216FFEB119FA4CC49FAE7BB9EB82355F508219F481A7290D73AAD40CB60

Function 007A14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 007A14FF
OpenProcessToken.ADVAPI32(00000000), ref: 007A1506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 007A1515
CloseHandle.KERNEL32(00000004), ref: 007A1520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 007A154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 007A1563

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 7fa8a6b318b40beb8de9c44afae640ae3248a31950210506f9ec5dfd5be62aa8
Instruction ID: 3f332115b134cf9aa22f468e5cf74261d975c89b5206884071e4e1fd871f357d
Opcode Fuzzy Hash: 7fa8a6b318b40beb8de9c44afae640ae3248a31950210506f9ec5dfd5be62aa8
Instruction Fuzzy Hash: E111297250124AEBEF128F98DD49BDE7BB9EF89754F048115FA05A20A0C379CE60DB61

Function 00763382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00763379,00762FE5), ref: 00763390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0076339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 007633B7
SetLastError.KERNEL32(00000000,?,00763379,00762FE5), ref: 00763409

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: f264041a1f67e7fd8a2b7d155f0118dd13c3262dabe85d77e7cde7708c6162f3
Instruction ID: c8625e191a724a4dac0f39b2089509390c96a1e1cc35d7d86ad191ab87b35c56
Opcode Fuzzy Hash: f264041a1f67e7fd8a2b7d155f0118dd13c3262dabe85d77e7cde7708c6162f3
Instruction Fuzzy Hash: 8C01F733609711FEEA252B75BC895672FA4FB05379720432AFD13852F1EF194D11D544

Function 00772D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00775686,00783CD6,?,00000000,?,00775B6A,?,?,?,?,?,0076E6D1,?,00808A48), ref: 00772D78
_free.LIBCMT ref: 00772DAB
_free.LIBCMT ref: 00772DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0076E6D1,?,00808A48,00000010,00744F4A,?,?,00000000,00783CD6), ref: 00772DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0076E6D1,?,00808A48,00000010,00744F4A,?,?,00000000,00783CD6), ref: 00772DEC
_abort.LIBCMT ref: 00772DF2

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 3cd87ca3071ce4674e41031c6cc94c2782d22f257974644e43ce4103912f5d9c
Instruction ID: ac5cfc5f8216954bcc4a785bf179d483367cb83c88fb4b5efd1307e6cf5c0bce
Opcode Fuzzy Hash: 3cd87ca3071ce4674e41031c6cc94c2782d22f257974644e43ce4103912f5d9c
Instruction Fuzzy Hash: 79F0A431A05601BBCE732778BC0EA5A2669BFC27E1F24C519F83C921E7EE2C98435561

Function 007D8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00759639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00759693
Part of subcall function 00759639: SelectObject.GDI32(?,00000000), ref: 007596A2
Part of subcall function 00759639: BeginPath.GDI32(?), ref: 007596B9
Part of subcall function 00759639: SelectObject.GDI32(?,00000000), ref: 007596E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 007D8A4E
LineTo.GDI32(?,00000003,00000000), ref: 007D8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 007D8A70
LineTo.GDI32(?,00000000,00000003), ref: 007D8A80
EndPath.GDI32(?), ref: 007D8A90
StrokePath.GDI32(?), ref: 007D8AA0

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: a03b135ddb4a8bb93369b990d5d5fcfaf9b6f2de988f294a434293126eda922a
Instruction ID: de166be223cb0028deffe274cd990c4176408beed0083179404e15192c192f87
Opcode Fuzzy Hash: a03b135ddb4a8bb93369b990d5d5fcfaf9b6f2de988f294a434293126eda922a
Instruction Fuzzy Hash: 2811F37600114DFFEF129F90EC88EAA7F6CEB08350F00C022FA199A1A1C7769D55DBA0

Function 007A51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 007A5218
GetDeviceCaps.GDI32(00000000,00000058), ref: 007A5229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 007A5230
ReleaseDC.USER32(00000000,00000000), ref: 007A5238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 007A524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 007A5261

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 3880731f309b844046196168c9bcf3504467489aa4e72554a0225743ac94c1dc
Instruction ID: 43121deb36adfddd1db394a9667ca109e6f1e3fde0f3b6652fa456ed7b038873
Opcode Fuzzy Hash: 3880731f309b844046196168c9bcf3504467489aa4e72554a0225743ac94c1dc
Instruction Fuzzy Hash: 8D018FB5A01719BBEB119BA59C49B4EBFB8FF48351F088166FA04A7280D674D800CBA5

Function 00741BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00741BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00741BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00741C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00741C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00741C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00741C22

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: b822f699d6d1558b43cee443de3439b2a9ae71caeffac3a072ca49a7d266e236
Instruction ID: edb945f172e8001103454b6b430d2645cb302497af60e1c53ba6441d0ed51147
Opcode Fuzzy Hash: b822f699d6d1558b43cee443de3439b2a9ae71caeffac3a072ca49a7d266e236
Instruction Fuzzy Hash: ED0167B0902B5ABDE3008F6A8C85B52FFB8FF19354F00415BA15C4BA42C7F5A864CBE5

Function 007AEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 007AEB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 007AEB46
GetWindowThreadProcessId.USER32(?,?), ref: 007AEB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 007AEB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 007AEB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 007AEB75

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: af2d64760165d4561ca64144bc37f5e1d6ce2e36d96c01092a0bbbd2907aaa02
Instruction ID: e9602502c5121a624ec2a24cd0156eede0ec282d4205438f4d1f1da186647389
Opcode Fuzzy Hash: af2d64760165d4561ca64144bc37f5e1d6ce2e36d96c01092a0bbbd2907aaa02
Instruction Fuzzy Hash: 9BF05B72142159BBD72257529C0DEEF7F7CEFC7B11F004159F501D1091D7A55A01C6B9

Function 00797439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00797452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00797469
GetWindowDC.USER32(?), ref: 00797475
GetPixel.GDI32(00000000,?,?), ref: 00797484
ReleaseDC.USER32(?,00000000), ref: 00797496
GetSysColor.USER32(00000005), ref: 007974B0

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: be3843df76e4c244d884c439ad11378840e2fca4ca4586a7a840ddcc96bda4c3
Instruction ID: d8bff15ed9352f4356b32b8819391e0019387bad5a8e0e9500aa08e96e9f9445
Opcode Fuzzy Hash: be3843df76e4c244d884c439ad11378840e2fca4ca4586a7a840ddcc96bda4c3
Instruction Fuzzy Hash: B0018B31405216EFDB125FA4EC08BEE7BB5FF04311F2081A1FA16A21B1CB391E51EB14

Function 007A1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 007A187F
UnloadUserProfile.USERENV(?,?), ref: 007A188B
CloseHandle.KERNEL32(?), ref: 007A1894
CloseHandle.KERNEL32(?), ref: 007A189C
GetProcessHeap.KERNEL32(00000000,?), ref: 007A18A5
HeapFree.KERNEL32(00000000), ref: 007A18AC

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 1c8770afec7bb77a27627ef8ef9c9434dbd580215ea4a3d1dc38afcf315f83c2
Instruction ID: babdcfd8096cdd8f3d70878f44cf3d59f9716c4d079eee183f305655b569970e
Opcode Fuzzy Hash: 1c8770afec7bb77a27627ef8ef9c9434dbd580215ea4a3d1dc38afcf315f83c2
Instruction Fuzzy Hash: BEE0E576045116FBDB026FA1ED0C90ABF39FF49B22B10C222F225810B0CB369820DF58

Function 007C7B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00760242: EnterCriticalSection.KERNEL32(0081070C,00811884,?,?,0075198B,00812518,?,?,?,007412F9,00000000), ref: 0076024D
Part of subcall function 00760242: LeaveCriticalSection.KERNEL32(0081070C,?,0075198B,00812518,?,?,?,007412F9,00000000), ref: 0076028A

Part of subcall function 00749CB3: _wcslen.LIBCMT ref: 00749CBD

Part of subcall function 007600A3: __onexit.LIBCMT ref: 007600A9

__Init_thread_footer.LIBCMT ref: 007C7BFB

Part of subcall function 007601F8: EnterCriticalSection.KERNEL32(0081070C,?,?,00758747,00812514), ref: 00760202
Part of subcall function 007601F8: LeaveCriticalSection.KERNEL32(0081070C,?,00758747,00812514), ref: 00760235

Strings

Variable must be of type 'Object'., xrefs: 007C7C3A
+Ty, xrefs: 007C7E2E
5, xrefs: 007C7C78
G, xrefs: 007C7C7F

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +Ty$5$G$Variable must be of type 'Object'.
API String ID: 535116098-3104342744
Opcode ID: c21bb4cc4c5ea9217f59ff12b0ca867fd8de02feac28df39c4eada047eae4904
Instruction ID: 38dd022bac30000e3401761fb92b95f8dc40bf2a07e98ad2cae9b46616bd5c55
Opcode Fuzzy Hash: c21bb4cc4c5ea9217f59ff12b0ca867fd8de02feac28df39c4eada047eae4904
Instruction Fuzzy Hash: 00916A70A04209EFCB18EF94D895EADB7B5FF48300F14805DF8069B292DB79AE45DB61

Function 007AC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00747620: _wcslen.LIBCMT ref: 00747625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 007AC6EE
_wcslen.LIBCMT ref: 007AC735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 007AC79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 007AC7CA

Strings

0, xrefs: 007AC6AF

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: c2db9943edef64388e04d5c179f011ffa068093b21162d1cc930e2d0f38ec2ca
Instruction ID: ebfc4c03f2379d76c6b8ff47fdae5399bbf98289a6c42439228aa86c6d2c8350
Opcode Fuzzy Hash: c2db9943edef64388e04d5c179f011ffa068093b21162d1cc930e2d0f38ec2ca
Instruction Fuzzy Hash: 3551A071605301ABD716DF28C889AAA77E8AF8A310F040B29F9A5D6191DB7CD944CF92

Function 007CAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 007CAEA3

Part of subcall function 00747620: _wcslen.LIBCMT ref: 00747625

GetProcessId.KERNEL32(00000000), ref: 007CAF38
CloseHandle.KERNEL32(00000000), ref: 007CAF67

Strings

@, xrefs: 007CAE72
<, xrefs: 007CAE6B

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: c4b4d459c0a023d5b6933050ab24733515ead5126c17428939353946039baf9c
Instruction ID: b7e4e795074fd2c19fbb62e1ed03c8a557763b89b7ac270a4d0896b8abfaf5b3
Opcode Fuzzy Hash: c4b4d459c0a023d5b6933050ab24733515ead5126c17428939353946039baf9c
Instruction Fuzzy Hash: 7A713671A00619EFCB14DF54C489A9EBBF0EF08315F04849DE816AB362C779ED45CB91

Function 007A719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 007A7206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 007A723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 007A724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 007A72CF

Strings

DllGetClassObject, xrefs: 007A7242

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 60c0d546eccaef426958c5f656a6a74fda64925a51b4e95b670df4ef567fdf15
Instruction ID: e6bd059d903f6d9178be62f5ed4472c3a959ae22a84694eb84d1bc7d4ebc9341
Opcode Fuzzy Hash: 60c0d546eccaef426958c5f656a6a74fda64925a51b4e95b670df4ef567fdf15
Instruction Fuzzy Hash: D1419DB1604204EFDB19CF54CC84B9A7BB9FF89310F1481AABD059F24AD7B9D941CBA0

Function 007D3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007D3E35
IsMenu.USER32(?), ref: 007D3E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 007D3E92
DrawMenuBar.USER32 ref: 007D3EA5

Strings

0, xrefs: 007D3D89

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 5863711f9116621e7e23b97c5ed989993ac7b2a0065825c759a4c3a1efb40777
Instruction ID: 1fb4da4cf60b5ef82fd2e4f11bba343f4a7f0b2a6f7af6913e078abf76bd4c36
Opcode Fuzzy Hash: 5863711f9116621e7e23b97c5ed989993ac7b2a0065825c759a4c3a1efb40777
Instruction Fuzzy Hash: 18414875A01209EFDB10DF50D984AEABBB9FF49350F04812AE915A7390D738AE54CFA1

Function 007A1DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00749CB3: _wcslen.LIBCMT ref: 00749CBD

Part of subcall function 007A3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 007A3CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 007A1E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 007A1E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 007A1EA9

Part of subcall function 00746B57: _wcslen.LIBCMT ref: 00746B6A

Strings

ListBox, xrefs: 007A1E25
ComboBox, xrefs: 007A1DF0

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 6484cade3ddfa1cea225eb864bce57b7aa7c681967191cd89694bd2dac5e09e9
Instruction ID: cf4a975311e7fa21646a193aae75e1cdabe8f90ca17284e9e3b465e2de716096
Opcode Fuzzy Hash: 6484cade3ddfa1cea225eb864bce57b7aa7c681967191cd89694bd2dac5e09e9
Instruction Fuzzy Hash: 3221F371A01104AAEB14AB64DC4ACFFB7B9EF86360F544219F825A72E1DB3C4909C660

Function 007D2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 007D2F8D
LoadLibraryW.KERNEL32(?), ref: 007D2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 007D2FA9
DestroyWindow.USER32(?), ref: 007D2FB1

Strings

SysAnimate32, xrefs: 007D2F68

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: ab68b027873758c0d7ae5793f7af99a7ca72c6a0f9c36269e3823c0c0b6bc7f6
Instruction ID: 27d57ccb12b5064d67aa8d868dc7fd05b19d66b55f2cb6fecbb267c8fd05929c
Opcode Fuzzy Hash: ab68b027873758c0d7ae5793f7af99a7ca72c6a0f9c36269e3823c0c0b6bc7f6
Instruction Fuzzy Hash: AC21DC71204209ABEB114F64DC84EBB37BDEF69324F104A2AFA50D22A1C779DC43A760

Function 00764D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00764D1E,007728E9,?,00764CBE,007728E9,008088B8,0000000C,00764E15,007728E9,00000002), ref: 00764D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00764DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00764D1E,007728E9,?,00764CBE,007728E9,008088B8,0000000C,00764E15,007728E9,00000002,00000000), ref: 00764DC3

Strings

CorExitProcess, xrefs: 00764D98
mscoree.dll, xrefs: 00764D86

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: b314b2654393ca675f7784a21c8bf91223667d4041d0ce49a3c5257456798226
Instruction ID: e55967e1f42858c621d7cfa243f6dbc060b6b62b928de6a115a3b56b4694fa79
Opcode Fuzzy Hash: b314b2654393ca675f7784a21c8bf91223667d4041d0ce49a3c5257456798226
Instruction Fuzzy Hash: 21F0AF70A01219FBDB119F90DC09BAEBBB9EF44751F0041A5FD06A2260CF795980CAD4

Function 0079D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0079D3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0079D3BF
FreeLibrary.KERNEL32(00000000), ref: 0079D3E5

Strings

GetSystemWow64DirectoryW, xrefs: 0079D3B9
X64, xrefs: 0079D2A8

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: aa78f420f0cb8bd3cc40cf314fd1119f9f3df3ae5c16064ff5bb9674b2f067bd
Instruction ID: 0812f13e3e0c7af38a5250b6d9d900fb472f22553fb3c2fffe5cdfb24611a4fc
Opcode Fuzzy Hash: aa78f420f0cb8bd3cc40cf314fd1119f9f3df3ae5c16064ff5bb9674b2f067bd
Instruction Fuzzy Hash: C8F055B1802A22CBDF362720AC089A93325BF10703B94C15AFC02E2244DB6CCD44C683

Function 00744E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00744EDD,?,00811418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00744E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00744EAE
FreeLibrary.KERNEL32(00000000,?,?,00744EDD,?,00811418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00744EC0

Strings

kernel32.dll, xrefs: 00744E94
Wow64DisableWow64FsRedirection, xrefs: 00744EA8

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 991d727f47445d8fc3a23e11a55ad59d199a3bc84ef9a7ca87a700e3d7ad7bdb
Instruction ID: da920e3ec20fed0b1948b72f3d1617bc7cb90a9bf9e1aa59db22959fd3c6bda8
Opcode Fuzzy Hash: 991d727f47445d8fc3a23e11a55ad59d199a3bc84ef9a7ca87a700e3d7ad7bdb
Instruction Fuzzy Hash: 8EE08C76A02633ABD2331B25AC1CB6B6668AF81B62B094216FC00E2250DF6CCD02D0A4

Function 00744E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00783CDE,?,00811418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00744E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00744E74
FreeLibrary.KERNEL32(00000000,?,?,00783CDE,?,00811418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00744E87

Strings

kernel32.dll, xrefs: 00744E5B
Wow64RevertWow64FsRedirection, xrefs: 00744E6E

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: dbe1277d292679a0c1db1e56f2cf4e0813247b63c274914aed3d2df6db0da42d
Instruction ID: 4bd4072f653790e49ddef6b2023c0e9621d739c9c42c1e26b40d2643ae1ec75c
Opcode Fuzzy Hash: dbe1277d292679a0c1db1e56f2cf4e0813247b63c274914aed3d2df6db0da42d
Instruction Fuzzy Hash: F2D0C271503633578A231B246C08E8B6B2CAF81B113054213B800E3250CF2DCD01D1D4

Function 007B2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 007B2C05
DeleteFileW.KERNEL32(?), ref: 007B2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 007B2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 007B2CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 007B2CC0

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 227b6391cdf7387d1190af02c5e1e5db73677583d2423763bdfc0eb0b1227a64
Instruction ID: b1f01462a2f64032fe0b3e4c560106ca4b19abf41ca3214b877487e1e1460c53
Opcode Fuzzy Hash: 227b6391cdf7387d1190af02c5e1e5db73677583d2423763bdfc0eb0b1227a64
Instruction Fuzzy Hash: BAB14072D01119EBDF21DBA4CC89EDE7B7DEF48350F1040A6FA09E6152EB389A458F61

Function 007CA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 007CA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 007CA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 007CA468
CloseHandle.KERNEL32(?), ref: 007CA63D

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 6a64d554fb2bd548c9ad55f050a82d53bb6e274951af242af4aa57534bc5cf95
Instruction ID: 51c3b47ef97d330027a1c9012c008b4d4c195774e89c2a1a284a88ae56205a51
Opcode Fuzzy Hash: 6a64d554fb2bd548c9ad55f050a82d53bb6e274951af242af4aa57534bc5cf95
Instruction Fuzzy Hash: 13A1C071604301AFD720DF24C886F2AB7E1AF84714F14881DF95A9B392D7B9EC45CB82

Function 0077BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,007E3700), ref: 0077BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0081121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0077BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00811270,000000FF,?,0000003F,00000000,?), ref: 0077BC36
_free.LIBCMT ref: 0077BB7F

Part of subcall function 007729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0077D7D1,00000000,00000000,00000000,00000000,?,0077D7F8,00000000,00000007,00000000,?,0077DBF5,00000000), ref: 007729DE
Part of subcall function 007729C8: GetLastError.KERNEL32(00000000,?,0077D7D1,00000000,00000000,00000000,00000000,?,0077D7F8,00000000,00000007,00000000,?,0077DBF5,00000000,00000000), ref: 007729F0

_free.LIBCMT ref: 0077BD4B

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 046be363d78d94881fb87499d08fd21e779373e7c9542862b085b8d0d0763c5c
Instruction ID: 08ae5e6dd35f8fc971fca6aad580dd13c429b04a28621e87bffd4ca85afc1312
Opcode Fuzzy Hash: 046be363d78d94881fb87499d08fd21e779373e7c9542862b085b8d0d0763c5c
Instruction Fuzzy Hash: 0951C871900209EFCF11EF659C85AAEB7BCFF45390B10C26AE568D72A1EB785D41CB60

Function 007AE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 007ADDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,007ACF22,?), ref: 007ADDFD

Part of subcall function 007ADDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,007ACF22,?), ref: 007ADE16

Part of subcall function 007AE199: GetFileAttributesW.KERNEL32(?,007ACF95), ref: 007AE19A

lstrcmpiW.KERNEL32(?,?), ref: 007AE473
MoveFileW.KERNEL32(?,?), ref: 007AE4AC
_wcslen.LIBCMT ref: 007AE5EB
_wcslen.LIBCMT ref: 007AE603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 007AE650

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: d0005f1088ffdc18f89bf75329e58c71bd7877473e3fcbe6f1c0b5a935b696ae
Instruction ID: b735e0d4809d54d457c57c215005b772ea8894a44b99e25dad0f44238a786d0a
Opcode Fuzzy Hash: d0005f1088ffdc18f89bf75329e58c71bd7877473e3fcbe6f1c0b5a935b696ae
Instruction Fuzzy Hash: BF5153B25083859BC724DBA4DC859DBB3ECAFC5340F004A1EF689D3151EF78A6888766

Function 007CB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00749CB3: _wcslen.LIBCMT ref: 00749CBD

Part of subcall function 007CC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,007CB6AE,?,?), ref: 007CC9B5
Part of subcall function 007CC998: _wcslen.LIBCMT ref: 007CC9F1
Part of subcall function 007CC998: _wcslen.LIBCMT ref: 007CCA68
Part of subcall function 007CC998: _wcslen.LIBCMT ref: 007CCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007CBAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 007CBB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 007CBB63
RegCloseKey.ADVAPI32(?,?), ref: 007CBBA6
RegCloseKey.ADVAPI32(00000000), ref: 007CBBB3

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: d6011a14d4c4871c4ea7cf1ed9517e7829d7d7391c827fad029244aef2c084c6
Instruction ID: 42a35cc8ed97fc9793313aceebe5547b8cbf2ef7510729fabd3bda86e4cb55d4
Opcode Fuzzy Hash: d6011a14d4c4871c4ea7cf1ed9517e7829d7d7391c827fad029244aef2c084c6
Instruction Fuzzy Hash: 4B616A71208241EFD714DF24C895F2ABBE5BF84308F14855DF4998B2A2DB39ED45CB92

Function 007A8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 007A8BCD
VariantClear.OLEAUT32 ref: 007A8C3E
VariantClear.OLEAUT32 ref: 007A8C9D
VariantClear.OLEAUT32(?), ref: 007A8D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 007A8D3B

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 10cb533c91ec0149581d1a8063b87d786ad21f230b6baec95952054d06ffd88a
Instruction ID: 72a3dc3865a3ba5369ca2456bd9640de8d9b776be38fe8032744e0ae30d5ca49
Opcode Fuzzy Hash: 10cb533c91ec0149581d1a8063b87d786ad21f230b6baec95952054d06ffd88a
Instruction Fuzzy Hash: 8F515AB5A00219EFCB14CF68C894AAABBF8FF8D310B158559E915DB350E734E911CFA0

Function 007B8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 007B8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 007B8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 007B8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 007B8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 007B8C5F

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 6f92966669bf44dbc26409062d2cc4f9e9df0cc15ad842b6230419f66e1c5db4
Instruction ID: 310984efff1746431467b8313e459f53787c9dcc1640f92685b0648672939474
Opcode Fuzzy Hash: 6f92966669bf44dbc26409062d2cc4f9e9df0cc15ad842b6230419f66e1c5db4
Instruction Fuzzy Hash: 13515D75A00215DFCB05DF64C885AADBBF5FF48314F088499E849AB362CB39ED51CBA1

Function 007C8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 007C8F40
GetProcAddress.KERNEL32(00000000,?), ref: 007C8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 007C8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 007C9032
FreeLibrary.KERNEL32(00000000), ref: 007C9052

Part of subcall function 0075F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,007B1043,?,7644E610), ref: 0075F6E6
Part of subcall function 0075F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0079FA64,00000000,00000000,?,?,007B1043,?,7644E610,?,0079FA64), ref: 0075F70D

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 638eb81ec4a69e281646d7bcc9fc0338e84b36c033590081f68524b22d6ca849
Instruction ID: 846cd510ca1f02b253d49bd22f3b50ec85f1b22b26fa364ed65382fe08b53013
Opcode Fuzzy Hash: 638eb81ec4a69e281646d7bcc9fc0338e84b36c033590081f68524b22d6ca849
Instruction Fuzzy Hash: 2F512A35601205DFC755DF58C488DADBBB1FF49314B08809DE909AB362DB39ED85CB91

Function 007D6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 007D6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 007D6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 007D6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,007BAB79,00000000,00000000), ref: 007D6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 007D6CC7

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: b7da0600c87fcd4e02dbc6fbbac7de7ca996dc89a412ce1749cd32779ee2fa0a
Instruction ID: 3b30266c3a92b81999554906aa459b40519381fcfb799c49d2475dcc24d48410
Opcode Fuzzy Hash: b7da0600c87fcd4e02dbc6fbbac7de7ca996dc89a412ce1749cd32779ee2fa0a
Instruction Fuzzy Hash: 2D41D075A10104AFDB25CF28CD58FA97BB5EB09360F14426AF999A73E0C379FD40CA60

Function 00772051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 007720C3
_free.LIBCMT ref: 007720E3

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 1dd8d4c596ac4efbc96c4fb2ea4058a4d08dc18627d41db69bc1ddfa7735e7cb
Instruction ID: c9e01edec0e2cd25a8ea6c897854466f40b8ac5d9f8bca726f9265f24b8348b9
Opcode Fuzzy Hash: 1dd8d4c596ac4efbc96c4fb2ea4058a4d08dc18627d41db69bc1ddfa7735e7cb
Instruction Fuzzy Hash: 5841D432A00204DFCF20DF78C885A5DB3E5FF89354F1585A8E929EB352D635AD02CB91

Function 0075912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00759141
ScreenToClient.USER32(00000000,?), ref: 0075915E
GetAsyncKeyState.USER32(00000001), ref: 00759183
GetAsyncKeyState.USER32(00000002), ref: 0075919D

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: fc898820894bad8e10dcb1251edfd00f6e423518e54488a647ae38ffc2ca4402
Instruction ID: f6b50a7550361e590c7a10a6968d02ef67b70fc9e7bf1e3283e35a50b30a08d6
Opcode Fuzzy Hash: fc898820894bad8e10dcb1251edfd00f6e423518e54488a647ae38ffc2ca4402
Instruction Fuzzy Hash: 1041903190861BFBDF099F68D848BEEB774FB45321F208216E929A3290C7785D54CB51

Function 007B3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 007B38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 007B3922
TranslateMessage.USER32(?), ref: 007B394B
DispatchMessageW.USER32(?), ref: 007B3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 007B3966

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: c064d3c66c2ff504389d6af6bb30713e89c4566319f72fad43059748f752dea3
Instruction ID: 1c4a0c3e1b291ad0be3524edbe05630f92a6f0af156ba6c91ee2b2f80d10d9ef
Opcode Fuzzy Hash: c064d3c66c2ff504389d6af6bb30713e89c4566319f72fad43059748f752dea3
Instruction Fuzzy Hash: 93318670504342EEEF25CB34984CBF67BA8AF05308F14856EE566C21A0E7BCB6C5CB21

Function 007BCF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,007BC21E,00000000), ref: 007BCF38
InternetReadFile.WININET(?,00000000,?,?), ref: 007BCF6F
GetLastError.KERNEL32(?,00000000,?,?,?,007BC21E,00000000), ref: 007BCFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,007BC21E,00000000), ref: 007BCFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,007BC21E,00000000), ref: 007BCFF2

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 81d9cfb0270b8eb7cde98842272208e23f25b249b4cc27c47acbd782a87e576c
Instruction ID: bb671d7bc203ebd3763e6f3ec239edd13ea4cdd7fc5aa7d2955490c5376e2c4b
Opcode Fuzzy Hash: 81d9cfb0270b8eb7cde98842272208e23f25b249b4cc27c47acbd782a87e576c
Instruction Fuzzy Hash: 92315072600206EFDB21DFA5C884AFBBBF9EB14351B10846EF506D2140D738EE41DB60

Function 007A1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 007A1915
PostMessageW.USER32(00000001,00000201,00000001), ref: 007A19C1
Sleep.KERNEL32(00000000,?,?,?), ref: 007A19C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 007A19DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 007A19E2

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 493cd11a47f637d37d13cad40863b0fe66c1a07e5473a7a278bf917c3ddbd977
Instruction ID: eb66a14c403c1d64585205c35cbf5553cbaaa476c8f395ad53bb4b2f21d4be5d
Opcode Fuzzy Hash: 493cd11a47f637d37d13cad40863b0fe66c1a07e5473a7a278bf917c3ddbd977
Instruction Fuzzy Hash: 0E31BF72A00259EFDB04CFA8CD99ADE3BB5EB45315F108329F961AB2D1C774AD44CB90

Function 007D5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 007D5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 007D579D
_wcslen.LIBCMT ref: 007D57AF
_wcslen.LIBCMT ref: 007D57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 007D5816

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 066b117a34b187929338077c8bc9ab5c1e0a15044b41f524eff6ab98dc54e444
Instruction ID: 59a5c017087467c37d0f6c3eb66f3263d3ea737e346978f36d22cf945e23da68
Opcode Fuzzy Hash: 066b117a34b187929338077c8bc9ab5c1e0a15044b41f524eff6ab98dc54e444
Instruction Fuzzy Hash: 81218271904618EBDB209FA4CC89EEE77B8FF04724F108257E929EA280D7789985CF51

Function 007C0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 007C0951
GetForegroundWindow.USER32 ref: 007C0968
GetDC.USER32(00000000), ref: 007C09A4
GetPixel.GDI32(00000000,?,00000003), ref: 007C09B0
ReleaseDC.USER32(00000000,00000003), ref: 007C09E8

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 3e8a5ee2a11086734a5546ab7033ec627e138d4b2e9ed740ae05bbe5965270a8
Instruction ID: 48434624ef6f6de0898c4e50a8d998b1cf037b9c0b0c30ac29818accd8008a89
Opcode Fuzzy Hash: 3e8a5ee2a11086734a5546ab7033ec627e138d4b2e9ed740ae05bbe5965270a8
Instruction Fuzzy Hash: 48214C35600214EFD704EF65C888AAEBBF5EB48700B04806DE84A97352DB38EC04CB90

Function 0077CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0077CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0077CDE9

Part of subcall function 00773820: RtlAllocateHeap.NTDLL(00000000,?,00811444,?,0075FDF5,?,?,0074A976,00000010,00811440,007413FC,?,007413C6,?,00741129), ref: 00773852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0077CE0F
_free.LIBCMT ref: 0077CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0077CE31

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 531cb8bbae37e107b4bcbcfcc2481826c02cb1fb7ae583641e6267f42cbd76f2
Instruction ID: 89d20b4701306ddfe3ae0a883392f63016c010cff07d4c67e7b2390c29696707
Opcode Fuzzy Hash: 531cb8bbae37e107b4bcbcfcc2481826c02cb1fb7ae583641e6267f42cbd76f2
Instruction Fuzzy Hash: 8001D8726026157F2F2316B66C4CC7B6A6DDFCABE1315812EF909C7101DAA98D0281B5

Function 00759639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00759693
SelectObject.GDI32(?,00000000), ref: 007596A2
BeginPath.GDI32(?), ref: 007596B9
SelectObject.GDI32(?,00000000), ref: 007596E2

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 74c0d9d35672d2e434356e148574f8dcc511d822cf8bc99b51331019d84317a8
Instruction ID: b9f903910a8fe1c36aa3605f6ba4acb79954afc5aff3f44b63de2491944b40ff
Opcode Fuzzy Hash: 74c0d9d35672d2e434356e148574f8dcc511d822cf8bc99b51331019d84317a8
Instruction Fuzzy Hash: 93217170802306EBDF119F24EC197E97FB9FF00316F508216FA20A61A0D3B95859CF94

Function 007A5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 007A5726
_memcmp.LIBVCRUNTIME ref: 007A5744
_memcmp.LIBVCRUNTIME ref: 007A5757
_memcmp.LIBVCRUNTIME ref: 007A576F
_memcmp.LIBVCRUNTIME ref: 007A5787

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 8a831e1e49c872f0ce92cb2af8d97dcfb70ba1f31624919bdd85a73593f20c7d
Instruction ID: f8002dba41ab0f267e1e6c2dd6844c307dcb8a4fc8f4ed2341b8c6e60a6e59b0
Opcode Fuzzy Hash: 8a831e1e49c872f0ce92cb2af8d97dcfb70ba1f31624919bdd85a73593f20c7d
Instruction Fuzzy Hash: 0501F5A1241A09FBD21C92219D86FBB735C9BA23A4F444122FD1BBA341F72CED1082B0

Function 00772DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0076F2DE,00773863,00811444,?,0075FDF5,?,?,0074A976,00000010,00811440,007413FC,?,007413C6), ref: 00772DFD
_free.LIBCMT ref: 00772E32
_free.LIBCMT ref: 00772E59
SetLastError.KERNEL32(00000000,00741129), ref: 00772E66
SetLastError.KERNEL32(00000000,00741129), ref: 00772E6F

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 282a26ec36a7fab1dd7a91e2af018d828cf038d2c0c66be3baca3b1a9475495b
Instruction ID: 3548594e659b2899bb8c95a2ddb83d7eb5514fdbf64621cc35d94c86dfd1792e
Opcode Fuzzy Hash: 282a26ec36a7fab1dd7a91e2af018d828cf038d2c0c66be3baca3b1a9475495b
Instruction Fuzzy Hash: 5901F432205600BBCE1327346C4ED2B266DBBC57E5B24C129F83DA22E3EFAC8C434421

Function 007A000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0079FF41,80070057,?,?,?,007A035E), ref: 007A002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0079FF41,80070057,?,?), ref: 007A0046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0079FF41,80070057,?,?), ref: 007A0054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0079FF41,80070057,?), ref: 007A0064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0079FF41,80070057,?,?), ref: 007A0070

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: d19e2d3d4436644ca79fd5b791854b2ce1c20caa7437a4d52a26fd58d51a9dd2
Instruction ID: 3217f0976690e85e0fb22397107705003825099b3464cd411834b3bfed4edd8e
Opcode Fuzzy Hash: d19e2d3d4436644ca79fd5b791854b2ce1c20caa7437a4d52a26fd58d51a9dd2
Instruction Fuzzy Hash: 6A01DF76601205BFDB114F68DC08FAB7BBEEB84351F108625F901D6210D778CD00EBA0

Function 007AE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 007AE997
QueryPerformanceFrequency.KERNEL32(?), ref: 007AE9A5
Sleep.KERNEL32(00000000), ref: 007AE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 007AE9B7
Sleep.KERNEL32 ref: 007AE9F3

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 537517cc9c454c83b5fc71c2e54b85907e0be5c97ff39865ba68da9605efa035
Instruction ID: 2ceacb55be12da6046ba219f16c621fd383f562b6c0b048addb6b1e82ee7b437
Opcode Fuzzy Hash: 537517cc9c454c83b5fc71c2e54b85907e0be5c97ff39865ba68da9605efa035
Instruction Fuzzy Hash: 5E016D72C0162EDBCF00AFE5DC49AEEBB78FF4A301F004646E542B2141DB38A551C766

Function 007A10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 007A1114
GetLastError.KERNEL32(?,00000000,00000000,?,?,007A0B9B,?,?,?), ref: 007A1120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,007A0B9B,?,?,?), ref: 007A112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,007A0B9B,?,?,?), ref: 007A1136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 007A114D

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 4164d607fa2596d89fd39ed637875fe790ba689ac2f195803f5f7e3e5432442b
Instruction ID: b97e359f00e3bff869d3beeb9cbe998c772826392c6442a91a99e3db090f70c6
Opcode Fuzzy Hash: 4164d607fa2596d89fd39ed637875fe790ba689ac2f195803f5f7e3e5432442b
Instruction Fuzzy Hash: C1016D7510121ABFEB124F68DC49A6A3B7EEF86364B104415FA41D3350DA35DC00DA60

Function 007A0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 007A0FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 007A0FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 007A0FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 007A0FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 007A1002

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: f7aec0a28a42c1018c5a922aebb1a4cc4fb9753bba794a3466d148dbfbf88cb6
Instruction ID: ff2043449fb248e745a972f3b6cdabbcc0fbd8ae31de4b0a9e39858ed5c2e1c4
Opcode Fuzzy Hash: f7aec0a28a42c1018c5a922aebb1a4cc4fb9753bba794a3466d148dbfbf88cb6
Instruction Fuzzy Hash: 58F0A975201316EBEB220FA49C4AF573BBDEF8A762F508416FA45C6290CA39DC40CA60

Function 007A1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 007A102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 007A1036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 007A1045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 007A104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 007A1062

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 620eafd809f846738a0bca95291d010ff814e08801551783effcf241345ff052
Instruction ID: c33bd2539e3f06760f1043b022bf6ac699de5602f4e9beac6646aeedd09b4720
Opcode Fuzzy Hash: 620eafd809f846738a0bca95291d010ff814e08801551783effcf241345ff052
Instruction Fuzzy Hash: D6F0CD75201316EBEB221FA4EC49F573BBDEF8A761F104416FA45C7290CA79DC40CA60

Function 007B030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,007B017D,?,007B32FC,?,00000001,00782592,?), ref: 007B0324
CloseHandle.KERNEL32(?,?,?,?,007B017D,?,007B32FC,?,00000001,00782592,?), ref: 007B0331
CloseHandle.KERNEL32(?,?,?,?,007B017D,?,007B32FC,?,00000001,00782592,?), ref: 007B033E
CloseHandle.KERNEL32(?,?,?,?,007B017D,?,007B32FC,?,00000001,00782592,?), ref: 007B034B
CloseHandle.KERNEL32(?,?,?,?,007B017D,?,007B32FC,?,00000001,00782592,?), ref: 007B0358
CloseHandle.KERNEL32(?,?,?,?,007B017D,?,007B32FC,?,00000001,00782592,?), ref: 007B0365

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 3c0c8f9e84de68fb2a7aecccae44d5942b09bc1fc27f156c183cb94d61512b8c
Instruction ID: 759fa0aee292b585a9696192296795218aa0f7850137695c3b0f907035f16ac6
Opcode Fuzzy Hash: 3c0c8f9e84de68fb2a7aecccae44d5942b09bc1fc27f156c183cb94d61512b8c
Instruction Fuzzy Hash: E601EA72800B058FCB30AF66D880943FBF9BF603053058A3FD19292930C3B4A988CF80

Function 0077D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0077D752

Part of subcall function 007729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0077D7D1,00000000,00000000,00000000,00000000,?,0077D7F8,00000000,00000007,00000000,?,0077DBF5,00000000), ref: 007729DE
Part of subcall function 007729C8: GetLastError.KERNEL32(00000000,?,0077D7D1,00000000,00000000,00000000,00000000,?,0077D7F8,00000000,00000007,00000000,?,0077DBF5,00000000,00000000), ref: 007729F0

_free.LIBCMT ref: 0077D764
_free.LIBCMT ref: 0077D776
_free.LIBCMT ref: 0077D788
_free.LIBCMT ref: 0077D79A

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 3097815084800923b136f385861c2ddcce47ced44a33bccf2525232154dec850
Instruction ID: 1455430f524fee466a417442c4d8afb472b65c396341b9ba0b40c6946ce8e1ea
Opcode Fuzzy Hash: 3097815084800923b136f385861c2ddcce47ced44a33bccf2525232154dec850
Instruction Fuzzy Hash: ACF04F32500304ABCA75EB78F9C5C16BBEDBF44390B988805F15CE7512C728FC818EA4

Function 007A5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 007A5C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 007A5C6F
MessageBeep.USER32(00000000), ref: 007A5C87
KillTimer.USER32(?,0000040A), ref: 007A5CA3
EndDialog.USER32(?,00000001), ref: 007A5CBD

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 1fcbb4a2a2cc798271cbdaf3967bcbbc1cf9806aa33fda7b2169a911b85af3b7
Instruction ID: 2c7ddde5a6f419646ca24140c5ee7cb6e5b572622b25dcc5e70e8ef03b7342e8
Opcode Fuzzy Hash: 1fcbb4a2a2cc798271cbdaf3967bcbbc1cf9806aa33fda7b2169a911b85af3b7
Instruction Fuzzy Hash: 4801F930500B05ABEB215B10ED4EFA677B8FF01B06F00175AB583A10E0DBFCA984CBA4

Function 007722A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 007722BE

Part of subcall function 007729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0077D7D1,00000000,00000000,00000000,00000000,?,0077D7F8,00000000,00000007,00000000,?,0077DBF5,00000000), ref: 007729DE
Part of subcall function 007729C8: GetLastError.KERNEL32(00000000,?,0077D7D1,00000000,00000000,00000000,00000000,?,0077D7F8,00000000,00000007,00000000,?,0077DBF5,00000000,00000000), ref: 007729F0

_free.LIBCMT ref: 007722D0
_free.LIBCMT ref: 007722E3
_free.LIBCMT ref: 007722F4
_free.LIBCMT ref: 00772305

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 3f35b0debfff047c225e0ee25a0d46d304b781361e9c10dfa1216c940a86cbe5
Instruction ID: 30f06fd6db1b0a8b3af15ce1752853e6d78ca81def0e3b099570e934b85de955
Opcode Fuzzy Hash: 3f35b0debfff047c225e0ee25a0d46d304b781361e9c10dfa1216c940a86cbe5
Instruction Fuzzy Hash: 9FF03070401210CBCF52AF64BC06C887B68FB19790B06C61AF528E22B6CB7914939FA4

Function 007595C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 007595D4
StrokeAndFillPath.GDI32(?,?,007971F7,00000000,?,?,?), ref: 007595F0
SelectObject.GDI32(?,00000000), ref: 00759603
DeleteObject.GDI32 ref: 00759616
StrokePath.GDI32(?), ref: 00759631

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 62f74fb92eee5f9ada9d574ffa98d1e40830e9a0ddfb8b89d3ffff9b2bad9a91
Instruction ID: 9474e68ded18dadbb54fa95e2ecefff75a2a1b4a2477812aabd17f51ccd966d1
Opcode Fuzzy Hash: 62f74fb92eee5f9ada9d574ffa98d1e40830e9a0ddfb8b89d3ffff9b2bad9a91
Instruction Fuzzy Hash: 9FF0F270006209EBDF225F69ED1CBE43F69BB00322F44C215EA25590F0D77989AADF24

Function 00770F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 007710F9
__freea.LIBCMT ref: 00771117

Part of subcall function 00771537: _free.LIBCMT ref: 0077154F

Strings

a/p, xrefs: 007711DE
am/pm, xrefs: 0077117A

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 979f411205de50a66f7eb3f861f11e7181bf1344811ca6c711068633371564ae
Instruction ID: 73d678c665082ca72671c1001f5c0918f88ae403486ba73cc6d5010564fdcc4d
Opcode Fuzzy Hash: 979f411205de50a66f7eb3f861f11e7181bf1344811ca6c711068633371564ae
Instruction Fuzzy Hash: 9DD1F231A00206CADF249F6CC895BFAB7B5FF06780FA4C159E909AB651D33D9D80CB91

Function 00775AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JOt, xrefs: 00775BA8, 00775C6C

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID:
String ID: JOt
API String ID: 0-2730833899
Opcode ID: 2368cf1b69f49d16f96b4efa2f0431cc9e5e706d1d21b33b60b57e42d15c1542
Instruction ID: 88870eb949c92c73197188597a3102ad8527542eb07841fa520d13bd3fc58987
Opcode Fuzzy Hash: 2368cf1b69f49d16f96b4efa2f0431cc9e5e706d1d21b33b60b57e42d15c1542
Instruction Fuzzy Hash: 405191B1D0060ADFDF129FA4C849FFE7BB8AF05390F14815AF809A7291D7B99901CB61

Function 00778A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00778B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00778B7A
__dosmaperr.LIBCMT ref: 00778B81

Strings

.v, xrefs: 00778A63

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .v
API String ID: 2434981716-281053895
Opcode ID: 7d99d7f347040ff834a37369636df34163ce22b99e685c29e9eec8dc68091931
Instruction ID: d2f5197e6ac244f8c2ffd0b970a7d5d7d4e68230f36633108c6693ebe77638a1
Opcode Fuzzy Hash: 7d99d7f347040ff834a37369636df34163ce22b99e685c29e9eec8dc68091931
Instruction Fuzzy Hash: C1417CF0604145AFCF659F24CC89A7D7FA5EF85380F29C1AAF85D87652DE398C028792

Function 007A2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007AB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,007A21D0,?,?,00000034,00000800,?,00000034), ref: 007AB42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 007A2760

Part of subcall function 007AB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,007A21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 007AB3F8

Part of subcall function 007AB32A: GetWindowThreadProcessId.USER32(?,?), ref: 007AB355
Part of subcall function 007AB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,007A2194,00000034,?,?,00001004,00000000,00000000), ref: 007AB365
Part of subcall function 007AB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,007A2194,00000034,?,?,00001004,00000000,00000000), ref: 007AB37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 007A27CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 007A281A

Strings

@, xrefs: 007A2832

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: f3273c32e07c3a946341f18964239f183a0bc97968e3af57b16c234b5aa596cd
Instruction ID: e024263b373b5a4046ae13aafc902b54dec3f086bf06573023cac8664e0d8a68
Opcode Fuzzy Hash: f3273c32e07c3a946341f18964239f183a0bc97968e3af57b16c234b5aa596cd
Instruction Fuzzy Hash: 3B414C72900218AFDB10DFA8CD45AEEBBB8EF4A300F008195FA55B7181DB746F45CBA0

Function 0077172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00771769
_free.LIBCMT ref: 00771834
_free.LIBCMT ref: 0077183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00771760, 00771767, 00771796, 007717CE

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-3695852857
Opcode ID: 891a6cc635bbafe4fd517e19980a32f10e85574b9c8dbfc5168f47fb8cfd5835
Instruction ID: 513abfdf1ea1b0aad4c596e0cde7c11938d7654aa020dfce1e9fb587e92a1a41
Opcode Fuzzy Hash: 891a6cc635bbafe4fd517e19980a32f10e85574b9c8dbfc5168f47fb8cfd5835
Instruction Fuzzy Hash: A2318071A00218EFDF25DF99D889D9EBBFCEF853A0B548166F908D7211D6748E40CB91

Function 007AC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 007AC306
DeleteMenu.USER32(?,00000007,00000000), ref: 007AC34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00811990,01855120), ref: 007AC395

Strings

0, xrefs: 007AC2DF

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 7f35a8cbee277c305c4559f9e6eb3d11a39bbbc27451f7393d203875daeff6ff
Instruction ID: 22a8077b945bbb56e4ca3cf12cfa181966f769defa5991b2ae2535ec1739802e
Opcode Fuzzy Hash: 7f35a8cbee277c305c4559f9e6eb3d11a39bbbc27451f7393d203875daeff6ff
Instruction Fuzzy Hash: 0A41A031208301EFDB21DF25D845B1ABBE8AFC6310F10871DF9A5972D1D778A904CB62

Function 007D4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,007DCC08,00000000,?,?,?,?), ref: 007D44AA
GetWindowLongW.USER32 ref: 007D44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 007D44D7

Strings

SysTreeView32, xrefs: 007D447C

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: f0534adc80bdaae187486e10a603a5622cd3615e7dfd0d6d8077f1a01b930b24
Instruction ID: 7c4ec0bce6d79276b0a36e8bcc9d1d6dd163e53af70b197d895446288afa9231
Opcode Fuzzy Hash: f0534adc80bdaae187486e10a603a5622cd3615e7dfd0d6d8077f1a01b930b24
Instruction Fuzzy Hash: 99317E71210246AFDF219E38DC49BDA7BB9EB08324F204716F979A22D0D778EC909750

Function 007A6E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 007A6EED
VariantCopyInd.OLEAUT32(?,?), ref: 007A6F08
VariantClear.OLEAUT32(?), ref: 007A6F12

Strings

*jz, xrefs: 007A6E8B, 007A6E90, 007A6EF8

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *jz
API String ID: 2173805711-3847815467
Opcode ID: 9b72d465e0aab18a7848442dd9846e71852e7b11c613af2c8e23cb92b2cb4992
Instruction ID: 74004a3dfbe1d3d75cf2a3c1e257e2a0213ae733d15418e45a9c72a42385d20b
Opcode Fuzzy Hash: 9b72d465e0aab18a7848442dd9846e71852e7b11c613af2c8e23cb92b2cb4992
Instruction Fuzzy Hash: F631D171608245DFCB05AFA4E8559BD77B6FF86701B140598F8025B2A1C73CDD12CBD0

Function 007C304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 007C335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,007C3077,?,?), ref: 007C3378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 007C307A
_wcslen.LIBCMT ref: 007C309B
htons.WSOCK32(00000000,?,?,00000000), ref: 007C3106

Strings

255.255.255.255, xrefs: 007C3095, 007C309A

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 97ec538732b0b168e2994c14fca7a2c6adb3ec6936052ba365ad0000863967fa
Instruction ID: c29623988ee9592fd40dfe749213228275edeebcdbe86538341dee5f56e31c80
Opcode Fuzzy Hash: 97ec538732b0b168e2994c14fca7a2c6adb3ec6936052ba365ad0000863967fa
Instruction Fuzzy Hash: D231AE36200205DFDB10CF68C485FAA77A1EF14318F28C15DE9168B392DB3AEE85C761

Function 007D3EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 007D3F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 007D3F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 007D3F78

Strings

SysMonthCal32, xrefs: 007D3F0B

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 805d78df0772c25faa8574d8c1224525e825b9438a34710473bd2d30e311cefc
Instruction ID: 0c48ed72f0b3a4faf2b32e810789db17d48fbee65ba245a7307b575c59e618a4
Opcode Fuzzy Hash: 805d78df0772c25faa8574d8c1224525e825b9438a34710473bd2d30e311cefc
Instruction Fuzzy Hash: 54219C32610219BFDF229F50DC46FEA3B79EF48714F110215FA15AB2D0D6B9AD50CBA0

Function 007D4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 007D4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 007D4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 007D471A

Strings

msctls_updown32, xrefs: 007D4684

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: e7e5d6c09e271c4ace0d3b2be6ca8ca3a52f1064f2e4afe47b58b03087bd2ad4
Instruction ID: 0b31db7530e5530ca1213e0cc228e3c8ce54734fdd3e81256fd63bc4f6dd1440
Opcode Fuzzy Hash: e7e5d6c09e271c4ace0d3b2be6ca8ca3a52f1064f2e4afe47b58b03087bd2ad4
Instruction Fuzzy Hash: 5D214AB5600209AFDB11DF64DCC5DA637BDEF4A3A4B04005AFA109B3A1CB35EC11CA60

Function 007A95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 007A961D

Strings

#OnAutoItStartRegister, xrefs: 007A95F3
#notrayicon, xrefs: 007A95B7
#requireadmin, xrefs: 007A95D9

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: a47c6d80c691519f2a192cc2c08ed76e88e157261580369bd208434bbec9e55d
Instruction ID: b809500d0e7a131d7fc5238420a24027b0d30184f80cf2caab0a59d876ef0e6d
Opcode Fuzzy Hash: a47c6d80c691519f2a192cc2c08ed76e88e157261580369bd208434bbec9e55d
Instruction Fuzzy Hash: 44215B72504610A6D331AB249C07FB773E89FD2300F504526FB5A97181EB5DAD71C2D6

Function 007D37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 007D3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 007D3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 007D3876

Strings

Listbox, xrefs: 007D380F

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: a73e891e2b33a3eaacf2850b68be07b6e4bd33e7e8f6773d48120b3dcd94399b
Instruction ID: 4a0dc686c078d4163c27ae613809565e4fc10a366f7ac3a056bf7ce94b91a4e5
Opcode Fuzzy Hash: a73e891e2b33a3eaacf2850b68be07b6e4bd33e7e8f6773d48120b3dcd94399b
Instruction Fuzzy Hash: B321C272610119BBEF119F54CC85FBB377EEF89760F108126F9049B290C679DC5197A1

Function 007B49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 007B4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 007B4A5C
SetErrorMode.KERNEL32(00000000,?,?,007DCC08), ref: 007B4AD0

Strings

%lu, xrefs: 007B4A6F

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 9df0a5875644cce05b6b4bd08894628b30905249ba439c3c345da358a5815a85
Instruction ID: 69d33da4bd465a1263df679169e062e8b58967a4fa5eb369c8d5271ee266d80d
Opcode Fuzzy Hash: 9df0a5875644cce05b6b4bd08894628b30905249ba439c3c345da358a5815a85
Instruction Fuzzy Hash: 76314F71A00119EFD711DF64C985EAA77F8EF04304F148095E909DB252D779ED45CB61

Function 007D41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 007D424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 007D4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 007D4271

Strings

msctls_trackbar32, xrefs: 007D4226

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 565f2c7eea64219af03f9704e89cf8523ef6e0c8b5fbd9dab54665cb20307b44
Instruction ID: 0b9d8cf0fe6b32860f184266a61cfd59bec4914297dbc5a5292a21189db91199
Opcode Fuzzy Hash: 565f2c7eea64219af03f9704e89cf8523ef6e0c8b5fbd9dab54665cb20307b44
Instruction Fuzzy Hash: 7111E031240208BFEF205F28CC06FAB3BBCFF95B64F114125FA55E21A0D676E8119B20

Function 007A2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00746B57: _wcslen.LIBCMT ref: 00746B6A

Part of subcall function 007A2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 007A2DC5
Part of subcall function 007A2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 007A2DD6
Part of subcall function 007A2DA7: GetCurrentThreadId.KERNEL32 ref: 007A2DDD
Part of subcall function 007A2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 007A2DE4

GetFocus.USER32 ref: 007A2F78

Part of subcall function 007A2DEE: GetParent.USER32(00000000), ref: 007A2DF9

GetClassNameW.USER32(?,?,00000100), ref: 007A2FC3
EnumChildWindows.USER32(?,007A303B), ref: 007A2FEB

Strings

%s%d, xrefs: 007A2FFF

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: e5b16ebf49b849738fd153d731e64e9a38f54ad7541077a8f1c9f21d3020b5ee
Instruction ID: b2aeed525a3989af3ff1078ae1ed11a7694d75e55d3e8b7a76e4f4cb3dd1e504
Opcode Fuzzy Hash: e5b16ebf49b849738fd153d731e64e9a38f54ad7541077a8f1c9f21d3020b5ee
Instruction Fuzzy Hash: 131190B1700205ABDF556F648C89EEE376AAFC5304F048175FD099B293DE78994ACB60

Function 007D5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 007D58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 007D58EE
DrawMenuBar.USER32(?), ref: 007D58FD

Strings

0, xrefs: 007D588F

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 811fb82591de6d7cbce476e6b0454c9c93bd8058044d5dcb1d598ec937b3e4c7
Instruction ID: d4209ed2daebe14e05d1f790d9f352b936cb99abfd9903546ae41d2a25dfa3e4
Opcode Fuzzy Hash: 811fb82591de6d7cbce476e6b0454c9c93bd8058044d5dcb1d598ec937b3e4c7
Instruction Fuzzy Hash: 7B018031500218EFDB219F15EC49FEEBBB8FF45361F10809AE849D6251DB789A94DF21

Function 007A007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 671541ddcf0052f045a38d30e1ba626b09a313f56bc8fa6a082ef07a249fdf20
Instruction ID: f7b207309db768b048334812eac3f90c0b0d8a1aec763923fd7a61bc9fceaf3b
Opcode Fuzzy Hash: 671541ddcf0052f045a38d30e1ba626b09a313f56bc8fa6a082ef07a249fdf20
Instruction Fuzzy Hash: 51C15C75A0020AEFDB14CFA4C898BAEB7B5FF89314F108A98E505EB251D735ED41DB90

Function 007C342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 007C3459
CoUninitialize.OLE32 ref: 007C3463
VariantInit.OLEAUT32(?), ref: 007C346E
VariantClear.OLEAUT32(?), ref: 007C371B

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 307e4dd7ff89f0e63062a7f74dddee20050b21728f8b3ab2c67df2012d4236a2
Instruction ID: d72868451f3df59d116dcc85364102ad6dc281ac1cde5b73f10c37d00ae1aa24
Opcode Fuzzy Hash: 307e4dd7ff89f0e63062a7f74dddee20050b21728f8b3ab2c67df2012d4236a2
Instruction Fuzzy Hash: 57A11575604210DFC714DF28C489E6AB7E5EF88714F04885DF98A9B362DB38EE05CB91

Function 007A0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,007DFC08,?), ref: 007A05F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,007DFC08,?), ref: 007A0608
CLSIDFromProgID.OLE32(?,?,00000000,007DCC40,000000FF,?,00000000,00000800,00000000,?,007DFC08,?), ref: 007A062D
_memcmp.LIBVCRUNTIME ref: 007A064E

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: dd507e1e002e2112355a3ffbb3368a929448bb1a5c3d14634ebaf333e8acafe2
Instruction ID: 29085608a1d9e04d3db2fd81015ee92439a7f478f1516cef158177f65c5d57d1
Opcode Fuzzy Hash: dd507e1e002e2112355a3ffbb3368a929448bb1a5c3d14634ebaf333e8acafe2
Instruction Fuzzy Hash: D9811C71A00109EFCB04DF94C988EEEB7B9FF89315F204559F506AB250DB75AE06CBA0

Function 007CA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 007CA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 007CA6BA

Part of subcall function 00749CB3: _wcslen.LIBCMT ref: 00749CBD

Process32NextW.KERNEL32(00000000,?), ref: 007CA79C
CloseHandle.KERNEL32(00000000), ref: 007CA7AB

Part of subcall function 0075CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00783303,?), ref: 0075CE8A

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: f5122c19ad5411d137a87700f018db696ffbe23021fc4f522281e15cf5f53128
Instruction ID: 9f8f369180f348a0ab57c367386d14cfc51f8160d31fbff6c1bf9b6a26dcf65e
Opcode Fuzzy Hash: f5122c19ad5411d137a87700f018db696ffbe23021fc4f522281e15cf5f53128
Instruction Fuzzy Hash: D0513A71508301AFD310DF24C88AA6BBBE8FF89754F00891DF58597252EB78D904CB92

Function 00781391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 007814C0

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 4a8ded83c8951456218e955a98c2eb8c1381fa8f5ece508a8e86713f0184fa31
Instruction ID: 4d91c2770f98113c7de1e10856b7897ca488a03dfd479b996e9e358a77976b55
Opcode Fuzzy Hash: 4a8ded83c8951456218e955a98c2eb8c1381fa8f5ece508a8e86713f0184fa31
Instruction Fuzzy Hash: 0B410831A80141EBDF217BB99C49AAE3AACFF45370F544226F81DD6192E67C48429761

Function 007D6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 007D62E2
ScreenToClient.USER32(?,?), ref: 007D6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 007D6382

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 4f628a72c9bb6d6bddda5b731deb4031a79a8cebe6712f73f11764f1274f3823
Instruction ID: fac899b1b4cb2e81c512c621b1781ae7c176b6da18a7a9bc526a00dc60ee1d2d
Opcode Fuzzy Hash: 4f628a72c9bb6d6bddda5b731deb4031a79a8cebe6712f73f11764f1274f3823
Instruction Fuzzy Hash: 77510775A00209AFDF10DF68D8849AE7BB6FF55360F14825AF9259B390D734AD81CB90

Function 007C1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 007C1AFD
WSAGetLastError.WSOCK32 ref: 007C1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 007C1B8A
WSAGetLastError.WSOCK32 ref: 007C1B94

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 6a9299de9e0e956b3a523a15f87ec71be28090f040e351723985e76a0157f632
Instruction ID: 00c7610d601082e0d469292b2fd1b77136d22da6f0a075317e9e0b1acffbcdbe
Opcode Fuzzy Hash: 6a9299de9e0e956b3a523a15f87ec71be28090f040e351723985e76a0157f632
Instruction Fuzzy Hash: 7141BF74600201AFE720AF24C88AF2977E5AB45718F94849CF91A9F3D3D77ADD42CB90

Function 0077B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b763ef3f73092aee874dac04e58a7206c27fb5a2158ee15d03f048d659b31aa1
Instruction ID: 576027c552a210d0a84285c1ba1865599235d54857d9c44322f192eed53c1b8e
Opcode Fuzzy Hash: b763ef3f73092aee874dac04e58a7206c27fb5a2158ee15d03f048d659b31aa1
Instruction Fuzzy Hash: 66411B71A00344FFDB249F38CC45B6A7BF9EB88750F10852AF559DB282D779A9118780

Function 007B56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 007B5783
GetLastError.KERNEL32(?,00000000), ref: 007B57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 007B57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 007B57FA

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 454ab5b04dc5346a3f3074669d47267b16f52f37f85de54d564b4cd36af986ee
Instruction ID: a36fbbfefaf5ee56bc04a3ef12cc6ec7bca260436b761b2b0cf9728b0f8621eb
Opcode Fuzzy Hash: 454ab5b04dc5346a3f3074669d47267b16f52f37f85de54d564b4cd36af986ee
Instruction Fuzzy Hash: 9F410A35600611DFCB15DF15C548A5ABBE2EF89320B198888E84AAF362CB39FD40CB91

Function 0077D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00766D71,00000000,00000000,007682D9,?,007682D9,?,00000001,00766D71,?,00000001,007682D9,007682D9), ref: 0077D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0077D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0077D9AB
__freea.LIBCMT ref: 0077D9B4

Part of subcall function 00773820: RtlAllocateHeap.NTDLL(00000000,?,00811444,?,0075FDF5,?,?,0074A976,00000010,00811440,007413FC,?,007413C6,?,00741129), ref: 00773852

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 5993e248ba32aa98e062d7834bb5268e7974f221514ca14ba2f9b31a555f6890
Instruction ID: c5195fbb12912e8a5c4b1e16a6d7a04b047ed11f503e5ffa7ddfa2a0e8caed62
Opcode Fuzzy Hash: 5993e248ba32aa98e062d7834bb5268e7974f221514ca14ba2f9b31a555f6890
Instruction Fuzzy Hash: EC31DE72A0021AABDF259F64DC45EAE7BB5EF41350F058268FD09D7250EB39ED50CBA0

Function 007D52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 007D5352
GetWindowLongW.USER32(?,000000F0), ref: 007D5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 007D5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007D53A8

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 7ee7e5868fc6da0c011d88d1dff7c0467dea21d069e12c7bc8f843eaa5e166a4
Instruction ID: 380052fd31513468edcbbd46fd7dd65ce206be25b04374f32d06f28c2c1c90d8
Opcode Fuzzy Hash: 7ee7e5868fc6da0c011d88d1dff7c0467dea21d069e12c7bc8f843eaa5e166a4
Instruction Fuzzy Hash: 7331A134A55A08EFEF359E14CC4ABE87B76AB05398F584103FA11963E1C7BC9D90DB41

Function 007AAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 007AABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 007AAC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 007AAC74
SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 007AACC6

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 9b2efd315ec23bdb85443b1e8eb7173136b119c612cccbb50dc86879bfb5de87
Instruction ID: 1afde51ca00a3716ef76676ff91f496d465d18cb1bbb0d919ee5a46729829d25
Opcode Fuzzy Hash: 9b2efd315ec23bdb85443b1e8eb7173136b119c612cccbb50dc86879bfb5de87
Instruction Fuzzy Hash: 7731F630A44618BFFF258B6588087FA7BA6ABC6330F04831AE485921D1D37D8995D772

Function 007D7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 007D769A
GetWindowRect.USER32(?,?), ref: 007D7710
PtInRect.USER32(?,?,007D8B89), ref: 007D7720
MessageBeep.USER32(00000000), ref: 007D778C

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 9327ebfdcef67345a1b40385d2b9d7cbd2544498b59db39441018a43968df4ac
Instruction ID: 3bfd11d378282b36067c4a6acf503659c17ccbb0a2d46bfa4c52813f2cb935fc
Opcode Fuzzy Hash: 9327ebfdcef67345a1b40385d2b9d7cbd2544498b59db39441018a43968df4ac
Instruction Fuzzy Hash: 7541B134A09215DFCB05CF68C898EA9BBF4FF48320F5485AAE5249B361E334E941CF90

Function 007D16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 007D16EB

Part of subcall function 007A3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 007A3A57
Part of subcall function 007A3A3D: GetCurrentThreadId.KERNEL32 ref: 007A3A5E
Part of subcall function 007A3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,007A25B3), ref: 007A3A65

GetCaretPos.USER32(?), ref: 007D16FF
ClientToScreen.USER32(00000000,?), ref: 007D174C
GetForegroundWindow.USER32 ref: 007D1752

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: abd587e392f251511387734458fcb3afe744c8714ec96413784a4e7d7de89e39
Instruction ID: bd3bcfd1c64702615b129430b96bbfa8ff125283c6a5f8d40cc51f04e33ace2b
Opcode Fuzzy Hash: abd587e392f251511387734458fcb3afe744c8714ec96413784a4e7d7de89e39
Instruction Fuzzy Hash: F8316F75D01249EFC704EFA9C885DAEBBF9EF48304B5480AAE415E7211DB39DE45CBA0

Function 007ADF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00747620: _wcslen.LIBCMT ref: 00747625

_wcslen.LIBCMT ref: 007ADFCB
_wcslen.LIBCMT ref: 007ADFE2
_wcslen.LIBCMT ref: 007AE00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 007AE018

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: 0726a0fe19f6d139d24514dba41c0e83c1a9e34621632d8fe6f4deb1137a4694
Instruction ID: 99dc0f3e93268772874157b647a3062ec4861447e70c662c19b641161ceb0841
Opcode Fuzzy Hash: 0726a0fe19f6d139d24514dba41c0e83c1a9e34621632d8fe6f4deb1137a4694
Instruction Fuzzy Hash: 2D21E571D00214EFCB20DFA8C982BAEB7F8EF8A750F114165E805BB245D7789E40CBA1

Function 007D8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00759BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00759BB2

GetCursorPos.USER32(?), ref: 007D9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00797711,?,?,?,?,?), ref: 007D9016
GetCursorPos.USER32(?), ref: 007D905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00797711,?,?,?), ref: 007D9094

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: fd1a35980aea97735f4074e31bc827bf7e0718e9b65db8ad5edbc92a3966a1e7
Instruction ID: 8c8d515d3bd04a285686ae8c5465757ff2011e287328a98c3d34ba05e0303aef
Opcode Fuzzy Hash: fd1a35980aea97735f4074e31bc827bf7e0718e9b65db8ad5edbc92a3966a1e7
Instruction Fuzzy Hash: 7E21D131600018EFCF269F94EC58EFABBB9FF89350F148166FA0587261C3399990DB60

Function 007AD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,007DCB68), ref: 007AD2FB
GetLastError.KERNEL32 ref: 007AD30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 007AD319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,007DCB68), ref: 007AD376

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 285655aa09da76bfd4f0c201b7fe8aa847deb218fd8078981a7bc6f30cf30123
Instruction ID: cac222b34054dfd923be4cdb97bf41399704616baa36a46889d7bc93be04ea23
Opcode Fuzzy Hash: 285655aa09da76bfd4f0c201b7fe8aa847deb218fd8078981a7bc6f30cf30123
Instruction Fuzzy Hash: EC216070505202DF8B20DF28C88546EB7E8AF96364F104B1EF4AAC72A1D739DD45CB93

Function 007A1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 007A1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 007A102A
Part of subcall function 007A1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 007A1036
Part of subcall function 007A1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 007A1045
Part of subcall function 007A1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 007A104C
Part of subcall function 007A1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 007A1062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 007A15BE
_memcmp.LIBVCRUNTIME ref: 007A15E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 007A1617
HeapFree.KERNEL32(00000000), ref: 007A161E

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 5ab34dc8b256c781e4c7ad4f9bf5377d2b1b25c14827c769300ad00f88d4e959
Instruction ID: 74c8af5d6ae393cd182cf60c6fb322b3421108bd62cdf7cc6f790887cc73db9a
Opcode Fuzzy Hash: 5ab34dc8b256c781e4c7ad4f9bf5377d2b1b25c14827c769300ad00f88d4e959
Instruction Fuzzy Hash: 7621B071E41109EFEF00DFA4C949BEEB7B8EF81344F498559E441AB241EB38AE04CB50

Function 007D2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 007D280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 007D2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 007D2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 007D2840

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 244015ee6c2a1b63d25bf6921c53b795eb7ea0798af735a80f5d680321fb21c1
Instruction ID: 1bf7daa9cf030a56b6caa28ef42f7f3876d99f11ff814daf690795b4ed489d70
Opcode Fuzzy Hash: 244015ee6c2a1b63d25bf6921c53b795eb7ea0798af735a80f5d680321fb21c1
Instruction Fuzzy Hash: 6421B231205111AFD7159B24C844F6AB7A5AF95324F14815AF4168B793C779FC43C790

Function 007A78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 007A8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,007A790A,?,000000FF,?,007A8754,00000000,?,0000001C,?,?), ref: 007A8D8C
Part of subcall function 007A8D7D: lstrcpyW.KERNEL32(00000000,?,?,007A790A,?,000000FF,?,007A8754,00000000,?,0000001C,?,?,00000000), ref: 007A8DB2
Part of subcall function 007A8D7D: lstrcmpiW.KERNEL32(00000000,?,007A790A,?,000000FF,?,007A8754,00000000,?,0000001C,?,?), ref: 007A8DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,007A8754,00000000,?,0000001C,?,?,00000000), ref: 007A7923
lstrcpyW.KERNEL32(00000000,?,?,007A8754,00000000,?,0000001C,?,?,00000000), ref: 007A7949
lstrcmpiW.KERNEL32(00000002,cdecl,?,007A8754,00000000,?,0000001C,?,?,00000000), ref: 007A7984

Strings

cdecl, xrefs: 007A797B

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 3d6549d4df42973494a572678ec7d3eff68b25a6d3af2cd3b470cf5ecd1d46c3
Instruction ID: df49f9c0dea57190a40d5bf4e0f23439a68bc8e3b62b27b5e651bdb795156aa7
Opcode Fuzzy Hash: 3d6549d4df42973494a572678ec7d3eff68b25a6d3af2cd3b470cf5ecd1d46c3
Instruction Fuzzy Hash: 3D11E93A201302ABDB155F34DC45D7B77A9FF86350B50812BF946C72A4EB799811C791

Function 007D7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 007D7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 007D7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 007D7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,007BB7AD,00000000), ref: 007D7D6B

Part of subcall function 00759BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00759BB2

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 55910123076c62d7a35551e6797202287d8b501d786e6f8cee13237f08f3741f
Instruction ID: aa81ac5fac2566658e2125f23e13e8e6b66c9f9e6864b8028b4720d8b22acf4f
Opcode Fuzzy Hash: 55910123076c62d7a35551e6797202287d8b501d786e6f8cee13237f08f3741f
Instruction Fuzzy Hash: F211D231205615AFCB158F28CC08AA63BBABF45370B218326F93ADB3F0E7348950DB50

Function 007D5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 007D56BB
_wcslen.LIBCMT ref: 007D56CD
_wcslen.LIBCMT ref: 007D56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 007D5816

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 409c9c303145b1eefe5c5dec6b9c6f91ef36f739c1f0b0b4bfc57d374a535ea4
Instruction ID: 270a4968b935d8c5ab2686655d3f0a243fd285a74cf0cd6768ed3a8aa1f4e57d
Opcode Fuzzy Hash: 409c9c303145b1eefe5c5dec6b9c6f91ef36f739c1f0b0b4bfc57d374a535ea4
Instruction Fuzzy Hash: D111D371A00608A7DF209F65CC85EEE77BCEF10760B10806BF916D6281EB78DA84CF64

Function 00771D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f4e41449b31688af622ccb69545a94767d38f58eed5167de511bc5c92772e02
Instruction ID: f7e7db116446076d2bd6728a2c38508d6406ffca6f109e19efffebf954406c2c
Opcode Fuzzy Hash: 8f4e41449b31688af622ccb69545a94767d38f58eed5167de511bc5c92772e02
Instruction Fuzzy Hash: 9B01BCB230561A7EEE2116786CC1F27662CEF413F8B758326F528A11D2DB688C405A20

Function 007A1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 007A1A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 007A1A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 007A1A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 007A1A8A

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 0f4cd2b5b40d87b18f421750c5d85ecd18d08e91cc7843f806fa5db2436f47f5
Instruction ID: 0a9dcc78f1b4626a2e35337528226561c102c4bdc8b6b084ced9c680c535051e
Opcode Fuzzy Hash: 0f4cd2b5b40d87b18f421750c5d85ecd18d08e91cc7843f806fa5db2436f47f5
Instruction Fuzzy Hash: C8113C3AD01219FFEB11DBA4CD85FADBB78EB04750F204191E600B7290D6716E50DB94

Function 007AE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 007AE1FD
MessageBoxW.USER32(?,?,?,?), ref: 007AE230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 007AE246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 007AE24D

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: e6889fc380fc6ddeee099d39b6b3648bb95c8bd793d5fb0f7628ce287a1a9bbb
Instruction ID: 2d077330b1ad8b2529fac98dce9e9a1e22df6dc91a575e4831658712dce01cd1
Opcode Fuzzy Hash: e6889fc380fc6ddeee099d39b6b3648bb95c8bd793d5fb0f7628ce287a1a9bbb
Instruction Fuzzy Hash: D511E9B1904259BBCB119BA89C09A9E7BACBF85310F008315F924D3290D37889008761

Function 0076D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0076CFF9,00000000,00000004,00000000), ref: 0076D218
GetLastError.KERNEL32 ref: 0076D224
__dosmaperr.LIBCMT ref: 0076D22B
ResumeThread.KERNEL32(00000000), ref: 0076D249

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 75056cf9fc8a55aeabdefe177a7f299a10932254e0c5b3de19bf1d750bfe7b43
Instruction ID: 94ea6e54101c11686c5ec16c652097d475ceb0606f74da0bda0a438ca82c15eb
Opcode Fuzzy Hash: 75056cf9fc8a55aeabdefe177a7f299a10932254e0c5b3de19bf1d750bfe7b43
Instruction Fuzzy Hash: 0401D276E15208BFCB215BA5DC09BAE7B69EF82330F114219FD26921D0DBB9CD41C6A1

Function 007D9EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00759BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00759BB2

GetClientRect.USER32(?,?), ref: 007D9F31
GetCursorPos.USER32(?), ref: 007D9F3B
ScreenToClient.USER32(?,?), ref: 007D9F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 007D9F7A

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 47139906365ec40e00048d22c16aeffc1b0cbe6d7f8662de5c07d0e45059388e
Instruction ID: 398e37c6a38e8153561e1f7681dd6db7d7b3fe6badf4c2c2fe64feab6e13def2
Opcode Fuzzy Hash: 47139906365ec40e00048d22c16aeffc1b0cbe6d7f8662de5c07d0e45059388e
Instruction Fuzzy Hash: 0B115A3290011AEBDF01DFA8D8499EE77B8FF05311F504552FA12E3240D738BA91CBA5

Function 0074600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0074604C
GetStockObject.GDI32(00000011), ref: 00746060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0074606A

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 2f67144cbb68351812ef8f2ff80f279a143fa4ce6a6a9dbdb9dea8e9ad7c5609
Instruction ID: b210e2fc66e5b8779ab8f9127d64d9775b77ac2d492b77b1a11b39a47f560501
Opcode Fuzzy Hash: 2f67144cbb68351812ef8f2ff80f279a143fa4ce6a6a9dbdb9dea8e9ad7c5609
Instruction Fuzzy Hash: A5115BB2502509BFEF125FA49C44EEABB69EF097A5F044216FA1452120D73ADC60DBA1

Function 00763B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00763B56

Part of subcall function 00763AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00763AD2
Part of subcall function 00763AA3: ___AdjustPointer.LIBCMT ref: 00763AED

_UnwindNestedFrames.LIBCMT ref: 00763B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00763B7C
CallCatchBlock.LIBVCRUNTIME ref: 00763BA4

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 5421f478581db165a1cf2aedac3e9d00d5fa0bf4171199498355e0055c859eeb
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 2F012972100149BBDF125E95CC46EEB3F6AEF49754F044014FE4966121C73AE961EBA0

Function 00773073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,007413C6,00000000,00000000,?,0077301A,007413C6,00000000,00000000,00000000,?,0077328B,00000006,FlsSetValue), ref: 007730A5
GetLastError.KERNEL32(?,0077301A,007413C6,00000000,00000000,00000000,?,0077328B,00000006,FlsSetValue,007E2290,FlsSetValue,00000000,00000364,?,00772E46), ref: 007730B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0077301A,007413C6,00000000,00000000,00000000,?,0077328B,00000006,FlsSetValue,007E2290,FlsSetValue,00000000), ref: 007730BF

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 576a45a924435cd05b5c2c944602b8367a09da6de799bd22fdae09ea76b32e1b
Instruction ID: 17580a00d9f8a9bede71bd8f7096ffdc05f90477d1b53e103c43dcaa7022a99e
Opcode Fuzzy Hash: 576a45a924435cd05b5c2c944602b8367a09da6de799bd22fdae09ea76b32e1b
Instruction Fuzzy Hash: 0301F732352227ABCF314B789C459677BAAAF05BE1B20C720F90DE7180DB29D901D6E0

Function 007A7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 007A747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 007A7497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 007A74AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 007A74CA

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: ad5ea4e30a946c17090afea5794c801947ac9790beeb8ec900bfcc32a2b07792
Instruction ID: a8f1c22c0ac982af91984df23901765268818228bc9fe49947a75544125a92b0
Opcode Fuzzy Hash: ad5ea4e30a946c17090afea5794c801947ac9790beeb8ec900bfcc32a2b07792
Instruction Fuzzy Hash: ED11C0B120A355EFE7208F14DD08F927FFCEB89B10F10866AA616D6191D7B8E904DB60

Function 007AB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,007AACD3,?,00008000), ref: 007AB0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,007AACD3,?,00008000), ref: 007AB0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,007AACD3,?,00008000), ref: 007AB0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,007AACD3,?,00008000), ref: 007AB126

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 8c8f937da0216ac971335a819a6242c9d30046f2db6371f71ccff009853fce50
Instruction ID: f2366060823be4eb45e364a2e7a32c2253d5a6a8dea2afe89e0e68f42b88ef2d
Opcode Fuzzy Hash: 8c8f937da0216ac971335a819a6242c9d30046f2db6371f71ccff009853fce50
Instruction Fuzzy Hash: 8F118071C0152DE7CF00AFE4E9596EEBF78FF8A711F108196D981B2182CB389A50CB55

Function 007D7E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 007D7E33
ScreenToClient.USER32(?,?), ref: 007D7E4B
ScreenToClient.USER32(?,?), ref: 007D7E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 007D7E8A

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 4f67f8ec660e92dce5b9bfe050aa8170c96091da1c78d3ad6c91be400009a393
Instruction ID: db6d4c117eec18a36e18e261be1aa1e1872d33b1d18fff69f3b5e155a73595fb
Opcode Fuzzy Hash: 4f67f8ec660e92dce5b9bfe050aa8170c96091da1c78d3ad6c91be400009a393
Instruction Fuzzy Hash: F31153B9D0020AAFDB41CF98C884AEEBBF9FF08310F509166E915E3210D735AA54CF94

Function 007A2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 007A2DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 007A2DD6
GetCurrentThreadId.KERNEL32 ref: 007A2DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 007A2DE4

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: ce8437ca8332ca9ec82ec4a7ee3a2b4b05486ca7ccf8647b50e4bb4f9c1525fb
Instruction ID: 14fafa77d2dbcada5e4a6cc9c0f247dc3ab8eeceacd095898ed712f5fd49c2bd
Opcode Fuzzy Hash: ce8437ca8332ca9ec82ec4a7ee3a2b4b05486ca7ccf8647b50e4bb4f9c1525fb
Instruction Fuzzy Hash: E9E06D71203225BADB211B669C0EEEB3F7CEF83BA1F004116B505D10829AA9C841C6B0

Function 007D8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00759639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00759693
Part of subcall function 00759639: SelectObject.GDI32(?,00000000), ref: 007596A2
Part of subcall function 00759639: BeginPath.GDI32(?), ref: 007596B9
Part of subcall function 00759639: SelectObject.GDI32(?,00000000), ref: 007596E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 007D8887
LineTo.GDI32(?,?,?), ref: 007D8894
EndPath.GDI32(?), ref: 007D88A4
StrokePath.GDI32(?), ref: 007D88B2

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: c5c8b945d682c58572c37504233fa19766e5c6d96f89725b54c18e6257fa24d9
Instruction ID: aedc319702a45f57bc19ecaf2431fa4eedf82561dbe4c872d86e09e04a00e3f0
Opcode Fuzzy Hash: c5c8b945d682c58572c37504233fa19766e5c6d96f89725b54c18e6257fa24d9
Instruction Fuzzy Hash: BEF03A36046259FADF135F94AC0DFCA3F69AF06311F44C002FB11651E1C7B95511DBA9

Function 007598B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 007598CC
SetTextColor.GDI32(?,?), ref: 007598D6
SetBkMode.GDI32(?,00000001), ref: 007598E9
GetStockObject.GDI32(00000005), ref: 007598F1

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: de25a10d3f80293692c1646022c99d403bb6050fd26d1e475dbae42932ec0b6a
Instruction ID: f300ecdea621f34bea2fdab5f235245da12ddcb30a02ea9bf0e05ec2ba61a505
Opcode Fuzzy Hash: de25a10d3f80293692c1646022c99d403bb6050fd26d1e475dbae42932ec0b6a
Instruction Fuzzy Hash: B4E06D31245295AADF225B74BC09BE83F20AB12336F14C21AF6FA580E1C37A4650DB20

Function 007A162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 007A1634
OpenThreadToken.ADVAPI32(00000000,?,?,?,007A11D9), ref: 007A163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,007A11D9), ref: 007A1648
OpenProcessToken.ADVAPI32(00000000,?,?,?,007A11D9), ref: 007A164F

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: c41235428a471ba3d217490e677ff7ffc4ed3562f14d39d63b7c1abba670aadd
Instruction ID: ea245f34ab45fd73deba67a9d0acf97d055f1ba40b9eb4bb95f26b7f5f8cb419
Opcode Fuzzy Hash: c41235428a471ba3d217490e677ff7ffc4ed3562f14d39d63b7c1abba670aadd
Instruction Fuzzy Hash: 47E08631603212DBE7201FE09F0DB463B7CAF457A1F14C809F245C9080DA3C4440C758

Function 0079D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0079D858
GetDC.USER32(00000000), ref: 0079D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0079D882
ReleaseDC.USER32(?), ref: 0079D8A3

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 7d49196bd6a89be1a8f456a35404e6784a4e9baa17df72d47298a65d1bc01fe8
Instruction ID: 1516180a22860a92a6652d23849e059c60dfed6464d8c632ca4d40d85c9dbe1f
Opcode Fuzzy Hash: 7d49196bd6a89be1a8f456a35404e6784a4e9baa17df72d47298a65d1bc01fe8
Instruction Fuzzy Hash: F4E01AB1801206DFCF529FA0D80CA6DBBB1FB08311F18C00AE806E7250C73C8945EF44

Function 0079D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0079D86C
GetDC.USER32(00000000), ref: 0079D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0079D882
ReleaseDC.USER32(?), ref: 0079D8A3

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 68316f924ee7f42347e695525c8c4f50ae200cc049d211640dee85bdb0d5d6e4
Instruction ID: 9526009b90f3c7c400a5421a9e947d68b036171b166ffeb1bb7bceab06c7219f
Opcode Fuzzy Hash: 68316f924ee7f42347e695525c8c4f50ae200cc049d211640dee85bdb0d5d6e4
Instruction Fuzzy Hash: 00E012B1802202EFCB52AFA0D80C66DBBB1FB08311B18800AE90AE7250CB3C9905EF44

Function 007B4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00747620: _wcslen.LIBCMT ref: 00747625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 007B4ED4

Strings

LPT, xrefs: 007B4DFB
*, xrefs: 007B4E10

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 085de2324d34ecf4caf2c0e2af9a3be0d403a7eacdf29ac93cfddcd3b30ba139
Instruction ID: 6bf99cdecafc1e3b71a6a8ed2ceaed1552a72251d25177182aa2b63900e97c53
Opcode Fuzzy Hash: 085de2324d34ecf4caf2c0e2af9a3be0d403a7eacdf29ac93cfddcd3b30ba139
Instruction Fuzzy Hash: 55912C75A00254DFCB14DF58C484FAABBF5AF44304F198099E80A9F3A2D779ED85CB91

Function 0075E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0075E1B1

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 93de9d83c16110a792fe81cf3ade536931ec039d400937b885910d145bb4f0f5
Instruction ID: bb1f0d7a788ce9401c47db81732d300ec5aca5a131936a9de3810f50dfddcec4
Opcode Fuzzy Hash: 93de9d83c16110a792fe81cf3ade536931ec039d400937b885910d145bb4f0f5
Instruction Fuzzy Hash: 83511E31904246DFDF19DFA8D085AFA7BA8FF15310F248015EC919B280DB7C9E86CBA1

Function 0075F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0075F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0075F2BB

Strings

@, xrefs: 0075F2AF

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 086d8deea8f5d9cec074b5f3c08a153bc555d75a97d8417afbe3db350bf08df1
Instruction ID: 36c3634ba28abc6eb7c9986bcde6c2e7e3d3b31fcbbfa4d34ec435a8978bc226
Opcode Fuzzy Hash: 086d8deea8f5d9cec074b5f3c08a153bc555d75a97d8417afbe3db350bf08df1
Instruction Fuzzy Hash: 15513872409744DBD320AF50D88ABABBBF8FB84300F81885DF1D9411A5EB758529CB6B

Function 007C5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 007C57E0
_wcslen.LIBCMT ref: 007C57EC

Strings

CALLARGARRAY, xrefs: 007C57E6, 007C57EB

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: d30c2463c484d692f22dbf314495815720a310a5c5aa22c4a0c75d72f795c3f1
Instruction ID: 07ce9b56c6971559b73b575a2d77eb296e38046ae50183de4a9a30df83118a83
Opcode Fuzzy Hash: d30c2463c484d692f22dbf314495815720a310a5c5aa22c4a0c75d72f795c3f1
Instruction Fuzzy Hash: 83417C31A00209DFCB14DFA8C885EAEBBF5EF59360F14416DF505A7291E779AD81CBA0

Function 007BD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 007BD130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 007BD13A

Strings

|, xrefs: 007BD10B

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 22dd33926adce54be2e2732f3dfea75aa2c92442821c1e11a1dc126971fd83a3
Instruction ID: a0a43589f36bb7484c84ebe59446edb0abf77784b9266f37c103aad6ab27c420
Opcode Fuzzy Hash: 22dd33926adce54be2e2732f3dfea75aa2c92442821c1e11a1dc126971fd83a3
Instruction Fuzzy Hash: 86313E71D01219EBCF15EFA4CC89AEEBFB9FF05300F004019F915A6162E739AA06DB50

Function 007D356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 007D3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 007D365C

Strings

static, xrefs: 007D35BC

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: e889e5dd431146d53ffc9a41bbf3dac9dc4a34e611cc2dc77a7095747b65d089
Instruction ID: 221fd49197299c35f070cd0e735a01ce688c22e45b83f5c428ca48676120f0a6
Opcode Fuzzy Hash: e889e5dd431146d53ffc9a41bbf3dac9dc4a34e611cc2dc77a7095747b65d089
Instruction Fuzzy Hash: E9318B71110604AEDB109F38DC81EFB73B9FF88720F00961AF9A597290DA39ED91D761

Function 007D4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 007D461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 007D4634

Strings

', xrefs: 007D458E

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: e71177e9116202e2a7b6b5882e7fbac28eabe9036e54a9c84256aff7f5c6360c
Instruction ID: c5d6fc85d8bcc60e3f2db2f00e8afdf04057c289bd9c6870b524f5fbc0d3d19e
Opcode Fuzzy Hash: e71177e9116202e2a7b6b5882e7fbac28eabe9036e54a9c84256aff7f5c6360c
Instruction Fuzzy Hash: D6313674A0120AAFDF14CFA9D981BDABBB5FF09300F14406AE906AB381D774E951CF90

Function 007D31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 007D327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007D3287

Strings

Combobox, xrefs: 007D3249

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 7ed2fe6a31b1fa624ad79a1325fafb95bfa8749bf3b6ef9b4ed7ec5b71dc21d6
Instruction ID: a7afec389fed591c7841eae1139ca7ae189b57c902d55012a89e787c7e191479
Opcode Fuzzy Hash: 7ed2fe6a31b1fa624ad79a1325fafb95bfa8749bf3b6ef9b4ed7ec5b71dc21d6
Instruction Fuzzy Hash: A511B271B00208BFEF219F54DC85EBB3B7AFB94364F10412AF91897390D679AD518761

Function 007D3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0074600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0074604C
Part of subcall function 0074600E: GetStockObject.GDI32(00000011), ref: 00746060
Part of subcall function 0074600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0074606A

GetWindowRect.USER32(00000000,?), ref: 007D377A
GetSysColor.USER32(00000012), ref: 007D3794

Strings

static, xrefs: 007D3757

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 67828f638e637f8244eed2484390e5757c72353551d41986729cc8d5f0fac567
Instruction ID: 1ebb60005155e422c50042740b487fd43f04f78f5e85490b229f4752a4ec9688
Opcode Fuzzy Hash: 67828f638e637f8244eed2484390e5757c72353551d41986729cc8d5f0fac567
Instruction Fuzzy Hash: 2C1129B261060AAFDF01DFA8CC46EEA7BB8FB08354F004516F955E2250D739E851DB61

Function 007BCD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 007BCD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 007BCDA6

Strings

<local>, xrefs: 007BCD66

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: d4b10dda1aece615befeff20c34a0e52bdd72a9a5afd02ca3f431930e43d110f
Instruction ID: 849a129989ee8f8dee1fa56e969038bf23711c8cc205bfafc7c9adc0855457db
Opcode Fuzzy Hash: d4b10dda1aece615befeff20c34a0e52bdd72a9a5afd02ca3f431930e43d110f
Instruction Fuzzy Hash: 1711C679305632BAD7364B668C49FE7BE6CEF527A4F40822AB14983180D7789840D6F0

Function 007D3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 007D34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 007D34BA

Strings

edit, xrefs: 007D348F

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 4f3b6c3d793ebdee9623cd74e9fea250bbec32f1a58a729b25b8e5d0a5111f71
Instruction ID: 4ee908437112e4d55d07285f13b0bfa99c0bb8549d3786f38351b8ae5af4a212
Opcode Fuzzy Hash: 4f3b6c3d793ebdee9623cd74e9fea250bbec32f1a58a729b25b8e5d0a5111f71
Instruction Fuzzy Hash: 8C116D71100148AAEB125E64EC44AFB377AEB05374F508326F961932E0C77DDC519756

Function 007A6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00749CB3: _wcslen.LIBCMT ref: 00749CBD

CharUpperBuffW.USER32(?,?,?), ref: 007A6CB6
_wcslen.LIBCMT ref: 007A6CC2

Strings

STOP, xrefs: 007A6CBC, 007A6CC1

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: df8fcecedf15b7d337e6de689bd1adaf3d7b429df5504a4ea029cad5b791571a
Instruction ID: 414259e503c7a3d01e581c6718b4be7e6ee9109b05f15ff8cbca2aa0a4bd2987
Opcode Fuzzy Hash: df8fcecedf15b7d337e6de689bd1adaf3d7b429df5504a4ea029cad5b791571a
Instruction Fuzzy Hash: ED010432700527CBCB20AFBDDC848BF73B4EFA27607050624E96292195EB39E900C660

Function 007A1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00749CB3: _wcslen.LIBCMT ref: 00749CBD

Part of subcall function 007A3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 007A3CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 007A1D4C

Strings

ListBox, xrefs: 007A1D16
ComboBox, xrefs: 007A1CEB

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 5d5631717e445543b230f9e07bc5974b7e2b06daaa1a3363fd2884be58a76e76
Instruction ID: c7807bd760a4a0fc90aaaca127921a1bd558ed3dae1d921fafd9cd236e250776
Opcode Fuzzy Hash: 5d5631717e445543b230f9e07bc5974b7e2b06daaa1a3363fd2884be58a76e76
Instruction Fuzzy Hash: B501B575741214ABDB04EBA4CC598FF7768FB87360F440B19B932673C1EB3859088671

Function 007A1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00749CB3: _wcslen.LIBCMT ref: 00749CBD

Part of subcall function 007A3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 007A3CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 007A1C46

Strings

ListBox, xrefs: 007A1C10
ComboBox, xrefs: 007A1BE5

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 19a8393855c41fe6e30087481530670d0f5b5f345638a5f9480cea107c54e460
Instruction ID: 7362d6c8825f423686980ac9d951a96ae4ba53277631ab4f2621f95aec554da5
Opcode Fuzzy Hash: 19a8393855c41fe6e30087481530670d0f5b5f345638a5f9480cea107c54e460
Instruction Fuzzy Hash: 8F01A775AC1104A6DB04EBA0CD659FF77A89B52360F540119B516772C2EB2C9E08C6B1

Function 007A1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00749CB3: _wcslen.LIBCMT ref: 00749CBD

Part of subcall function 007A3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 007A3CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 007A1CC8

Strings

ListBox, xrefs: 007A1C94
ComboBox, xrefs: 007A1C69

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: ff148ffc9c1fa445536e5aaebf1be34f2189861eea2a4b0d4c7976c51c20b30d
Instruction ID: faca12215f2772ef2ba10cbaf0fc0f87d4a741d97e5bf5069ac1958174403607
Opcode Fuzzy Hash: ff148ffc9c1fa445536e5aaebf1be34f2189861eea2a4b0d4c7976c51c20b30d
Instruction Fuzzy Hash: EA01D675A81118A7DF04EBA4CE55AFF77ACAB52350F540115B912B32C2EB2C9F08C6B1

Function 007A1D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00749CB3: _wcslen.LIBCMT ref: 00749CBD

Part of subcall function 007A3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 007A3CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 007A1DD3

Strings

ListBox, xrefs: 007A1DA0
ComboBox, xrefs: 007A1D75

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: bc43fcd0e13ece312ea5cace18a810606a77790f2472971928d3efa970d4701f
Instruction ID: 9d43438049d60e7d3ee7c9bad4d2f69eca8fa7cda391dd2d798e1de31774da48
Opcode Fuzzy Hash: bc43fcd0e13ece312ea5cace18a810606a77790f2472971928d3efa970d4701f
Instruction Fuzzy Hash: E8F0A971B41214A6D704F7A4CD55AFF777CAB42350F440A15B532632C1DB68590886B0

Function 007C747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 007C7493
_wcslen.LIBCMT ref: 007C74B9

Strings

3, 3, 16, 1, xrefs: 007C7483

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: a689524278926202e18a02f667998b5aa124582683d6b475534856969a960db2
Instruction ID: 1d837d3a3d7390614c032b351bd5f123c3c71919941c3e16a7bcd6427b7075b1
Opcode Fuzzy Hash: a689524278926202e18a02f667998b5aa124582683d6b475534856969a960db2
Instruction Fuzzy Hash: EBE02B0264476064A23D12799CC5F7F578ADFC5750710182FFD82D2266EE9C9E91D3A0

Function 007A0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 007A0B23

Strings

Error allocating memory., xrefs: 007A0B1C
AutoIt, xrefs: 007A0B17

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 211b9c257f725f5dda7ab97c8b2dead45196413d64f76f2253ada50b042ceae5
Instruction ID: 2f7294aff169c86f5df644dd808f185567ddfd31e6c170095983691fd524b4b9
Opcode Fuzzy Hash: 211b9c257f725f5dda7ab97c8b2dead45196413d64f76f2253ada50b042ceae5
Instruction Fuzzy Hash: 03E0D831344309A6D2153754BC07FC97B948F05B21F100427FB58955C38AEA285086F9

Function 00760D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0075F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00760D71,?,?,?,0074100A), ref: 0075F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0074100A), ref: 00760D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0074100A), ref: 00760D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00760D7F

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: f10e6c7fd90df753855fa5b2ac844ca4aa616ae3e54bc18496b3d58070efb570
Instruction ID: f7f406be1512178b2e2d38d468b21b67036c714fa25136b1ee27658c63a9fe0f
Opcode Fuzzy Hash: f10e6c7fd90df753855fa5b2ac844ca4aa616ae3e54bc18496b3d58070efb570
Instruction Fuzzy Hash: EFE039702003018BD3209FA8E8082427BF4BB04745F008A2EE882C6755DBBCE4448BE1

Function 007B3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 007B302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 007B3044

Strings

aut, xrefs: 007B3038

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 54bd75873cda700524cf30517e088289c031d96c9debde387c7128325e1fdc52
Instruction ID: 98d8bf34dde6ba7318b1230c56352e00062b5a892c234a571b30998bce8787ca
Opcode Fuzzy Hash: 54bd75873cda700524cf30517e088289c031d96c9debde387c7128325e1fdc52
Instruction Fuzzy Hash: 95D05B7150132467DA60A794AC0DFC73B7CEB04750F000252B655D60D1DAB4A544CAD4

Function 0079D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0079D220

Strings

%.3d, xrefs: 0079D22B
X64, xrefs: 0079D2A8

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 0b704af06219ca7469a08e49f63ed12218d77e1e1c2d8b88023cc251bbd7a7e6
Instruction ID: f97444d15e2826db3bc3c157ecc4d3b4efb3cef0be6f25c9ebd912a82c988033
Opcode Fuzzy Hash: 0b704af06219ca7469a08e49f63ed12218d77e1e1c2d8b88023cc251bbd7a7e6
Instruction Fuzzy Hash: 6AD062A5C09119E9CFB097E0ED499F9B37CFB18341F908452FD16D1180D66CDD48A761

Function 007D2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 007D236C
PostMessageW.USER32(00000000), ref: 007D2373

Part of subcall function 007AE97B: Sleep.KERNEL32 ref: 007AE9F3

Strings

Shell_TrayWnd, xrefs: 007D2365

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 23f9a23291813faf99d855216f2cea4b8ab13673096e46c2fc2b1ec69f77559b
Instruction ID: dd2b108683bae36aa1d6d813ad1bf194fe22831c56e7bb23bc9e887e070fb6fa
Opcode Fuzzy Hash: 23f9a23291813faf99d855216f2cea4b8ab13673096e46c2fc2b1ec69f77559b
Instruction Fuzzy Hash: D6D0C73138131176E56567709C0FFC676549745710F1086567655D51D0D9A8B411CA58

Function 007D2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 007D232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 007D233F

Part of subcall function 007AE97B: Sleep.KERNEL32 ref: 007AE9F3

Strings

Shell_TrayWnd, xrefs: 007D2325

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 545b6a392603a6e6da50acac71ab3d65b867d30759b022037a4421e1bd26d477
Instruction ID: c3012cab3873228710d7ab02e47d0d1f469e023e910d96f509d9067c7c156719
Opcode Fuzzy Hash: 545b6a392603a6e6da50acac71ab3d65b867d30759b022037a4421e1bd26d477
Instruction Fuzzy Hash: 8CD0C936395311B6EAA4A770AC0FFC67A68AB40B10F108A567656AA1D0D9A8A811CA58

Function 0077BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0077BE93
GetLastError.KERNEL32 ref: 0077BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0077BEFC

Memory Dump Source

Source File: 00000001.00000002.2270154373.0000000000741000.00000020.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000001.00000002.2270122430.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.00000000007DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270430982.0000000000802000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270525379.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2270568753.0000000000814000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_740000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: b94c78de07722eab3fb33f515f268fa0f4e0d8e6e14f21fc0a22e2bac1957661
Instruction ID: 2846f67f3ba02a93eee46b92fd74493804d88b833b2ed448c8ab19fbc5c7d488
Opcode Fuzzy Hash: b94c78de07722eab3fb33f515f268fa0f4e0d8e6e14f21fc0a22e2bac1957661
Instruction Fuzzy Hash: C641F635601216EFCF218FA4CC94BBA7BA4EF41B90F14C16AF95D972A1DB388D00CB51

Analysis Process: firefox.exePID: 7924, Parent PID: 2620COMMON

Execution Graph

Execution Coverage:	1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	100%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00000171D1F786B2 Relevance: 26.1, APIs: 1, Strings: 10, Instructions: 6826nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 00000171D1F78717

Strings

>, xrefs: 00000171D1F7951C
>, xrefs: 00000171D1F7C7BF
>, xrefs: 00000171D1F78779
z, xrefs: 00000171D1F79CF6
#, xrefs: 00000171D1F78742
#, xrefs: 00000171D1F797F1
4, xrefs: 00000171D1F7C799
A, xrefs: 00000171D1F7870F
#, xrefs: 00000171D1F76A85
z, xrefs: 00000171D1F7874B

Memory Dump Source

Source File: 00000013.00000002.3462973329.00000171D1F76000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000171D1F76000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_171d1f76000_firefox.jbxd

Similarity

API ID: InformationQuerySystem
String ID: #$#$#$4$>$>$>$A$z$z
API String ID: 3562636166-3072146587
Opcode ID: a7beeb6ed6d4bd1c13836e24e4a4bf8602c8d7752103ee20adf8d6ea9f6b849f
Instruction ID: 3574e938363627e7fb4f647950f97844a8ba8ba63e0e4bc4efb6e8fb891c6dea
Opcode Fuzzy Hash: a7beeb6ed6d4bd1c13836e24e4a4bf8602c8d7752103ee20adf8d6ea9f6b849f
Instruction Fuzzy Hash: C0A3E031618A498BDB3EDF6CDC856E973E5FB98300F14422ED94AC7255DE34EA06CB81

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 151.101.193.91 151.101.193.91
Source: Joe Sandbox View	IP Address: 34.160.144.191 34.160.144.191

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000F.00000003.2415652434.000001C1EEBD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000F.00000003.2430808545.000001C1EE53A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000F.00000003.2272139631.000001C1F5664000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000F.00000003.2272139631.000001C1F5664000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000F.00000003.2274937024.000001C1EDEF1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2449546182.000001C1EE558000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2444583574.000001C1EDEF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000F.00000003.2430808545.000001C1EE53A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000F.00000003.2405204836.000001C1F5941000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000F.00000003.2405204836.000001C1F5941000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000F.00000003.2274113726.000001C1EEE6E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000F.00000003.2275856076.000001C1EDF67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2272139631.000001C1F5664000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000F.00000003.2272139631.000001C1F5664000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000F.00000003.2274113726.000001C1EEE6E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000F.00000003.2274113726.000001C1EEE6E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000F.00000003.2274113726.000001C1EEE6E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000F.00000003.2274113726.000001C1EEE6E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000F.00000003.2274113726.000001C1EEE6E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000F.00000003.2274113726.000001C1EEE6E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000F.00000003.2274113726.000001C1EEE6E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000F.00000003.2274113726.000001C1EEE6E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000F.00000003.2274113726.000001C1EEE6E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000F.00000003.2274113726.000001C1EEE6E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000F.00000003.2274113726.000001C1EEE6E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000F.00000003.2274113726.000001C1EEE6E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000F.00000003.2274113726.000001C1EEE6E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000F.00000003.2274113726.000001C1EEE6E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000F.00000003.2274113726.000001C1EEE6E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000F.00000003.2274113726.000001C1EEE6E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000F.00000003.2274113726.000001C1EEE6E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000F.00000003.2274113726.000001C1EEE6E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000F.00000003.2274113726.000001C1EEE6E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3459959985.00000171D1A03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.3460428107.0000027887D0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000F.00000003.2274113726.000001C1EEE6E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3459959985.00000171D1A03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.3460428107.0000027887D0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000F.00000003.2274113726.000001C1EEE6E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3459959985.00000171D1A03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.3460428107.0000027887D0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000015.00000002.3460428107.0000027887D0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/h equals www.facebook.com (Facebook)
Source: firefox.exe, 00000015.00000002.3460428107.0000027887D0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/h equals www.twitter.com (Twitter)
Source: firefox.exe, 00000015.00000002.3460428107.0000027887D0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/h equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000F.00000003.2420344682.000001C1F577D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2409788950.000001C1EEDC4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2399904304.000001C1EC4E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000F.00000003.2398718990.000001C1EC48E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.facebook.comD equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000F.00000003.2420344682.000001C1F577D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2409788950.000001C1EEDC4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2430808545.000001C1EE53A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000F.00000003.2404632841.000001C1F8327000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2431301671.000001C1F8362000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000F.00000003.2274937024.000001C1EDECA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2274937024.000001C1EDEF1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.2405204836.000001C1F598A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.6:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49775 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49791 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49792 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.6:49835 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.193.91:443 -> 192.168.2.6:49837 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49839 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49844 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49842 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49843 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.6:49847 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49917 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49919 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49920 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49921 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49922 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49918 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49925 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49926 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 49890 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49842 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49922 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 49926 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 49925 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49919 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49890
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49926
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49925
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49922
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49844
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49921
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49920
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49995 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49844 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49918 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49919
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49918
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49917
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 49921 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49995
Source: unknown	Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49843 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49917 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49920 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_2f374eb0-ee54-4736-92c1-c3c4d62f47ba.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_2f374eb0-ee54-4736-92c1-c3c4d62f47ba.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre