Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1562044
MD5:	f8f6b3f05a3b3bfe1f5600ae9b33f059
SHA1:	8fd0d4770ccceada563470d85d022825b4adde33
SHA256:	8faa25a839f7163b52b8b26c672ce31f22c9a69eb29917a7d56ece2f39d4b68b
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 7248 cmdline: "C:\Users\user\Desktop\file.exe" MD5: F8F6B3F05A3B3BFE1F5600AE9B33F059)

taskkill.exe (PID: 7264 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7400 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7464 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7528 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7608 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 7712 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7760 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7776 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 5256 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2220 -prefsLen 25302 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {343c6f86-1b5f-473e-9dba-35b770c7833f} 7776 "\\.\pipe\gecko-crash-server-pipe.7776" 1fd7576dd10 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7284 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3016 -parentBuildID 20230927232528 -prefsHandle 3060 -prefMapHandle 2996 -prefsLen 26317 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2796a079-c3f2-485a-9277-415ee10c3b63} 7776 "\\.\pipe\gecko-crash-server-pipe.7776" 1fd05fc6e10 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7308 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5132 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5180 -prefMapHandle 5176 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {99b798a6-e00b-468f-8fbe-32fc4b2fef5c} 7776 "\\.\pipe\gecko-crash-server-pipe.7776" 1fd0f5fab10 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.1296873839.0000000000F5F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security
00000000.00000003.1236545654.0000000000F64000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security
Process Memory Space: file.exe PID: 7248	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_00A7EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00A7EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A7ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00A7ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_00A7EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A6AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_00A6AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A99576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00A99576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000000.1236121766.0000000000AC2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_2f517f55-b
Source: file.exe, 00000000.00000000.1236121766.0000000000AC2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_36942ef1-3
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_1460a83d-1
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_abbf59b3-8

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 23_2_000001ED602AA637 NtQuerySystemInformation,		23_2_000001ED602AA637
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 23_2_000001ED60846632 NtQuerySystemInformation,		23_2_000001ED60846632

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A6D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00A6D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A61201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00A61201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A6E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00A6E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A08060	0_2_00A08060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A72046	0_2_00A72046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A68298	0_2_00A68298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A3E4FF	0_2_00A3E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A3676B	0_2_00A3676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A94873	0_2_00A94873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A2CAA0	0_2_00A2CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A0CAF0	0_2_00A0CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A1CC39	0_2_00A1CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A36DD9	0_2_00A36DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A091C0	0_2_00A091C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A1B119	0_2_00A1B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A21394	0_2_00A21394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A21706	0_2_00A21706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A2781B	0_2_00A2781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A219B0	0_2_00A219B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A07920	0_2_00A07920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A1997D	0_2_00A1997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A27A4A	0_2_00A27A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A27CA7	0_2_00A27CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A21C77	0_2_00A21C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A39EEE	0_2_00A39EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A8BE44	0_2_00A8BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A21F32	0_2_00A21F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 23_2_000001ED602AA637	23_2_000001ED602AA637
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 23_2_000001ED60846632	23_2_000001ED60846632
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 23_2_000001ED60846672	23_2_000001ED60846672
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 23_2_000001ED60846D5C	23_2_000001ED60846D5C

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00A09CB3 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00A1F9F2 appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00A20A30 appears 46 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/34@66/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A737B5 GetLastError,FormatMessageW,

0_2_00A737B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A610BF AdjustTokenPrivileges,CloseHandle,		0_2_00A610BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A616C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00A616C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A751CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00A751CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A6D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00A6D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A7648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_00A7648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A042A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00A042A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7272:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7628:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7472:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7408:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7536:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user~1\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 00000010.00000003.1469758973.000001FD1089C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1376512189.000001FD116A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1469113934.000001FD116A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1379344256.000001FD0DCB5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1497926760.000001FD116AF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 00000010.00000003.1376512189.000001FD116A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1469113934.000001FD116A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1497926760.000001FD116AF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 00000010.00000003.1376512189.000001FD116A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1469113934.000001FD116A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1497926760.000001FD116AF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 00000010.00000003.1376512189.000001FD116A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1469113934.000001FD116A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1497926760.000001FD116AF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 00000010.00000003.1379344256.000001FD0DCB5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;
Source: firefox.exe, 00000010.00000003.1376512189.000001FD116A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1469113934.000001FD116A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1497926760.000001FD116AF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 00000010.00000003.1376512189.000001FD116A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1469113934.000001FD116A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1497926760.000001FD116AF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 00000010.00000003.1376512189.000001FD116A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1469113934.000001FD116A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1497926760.000001FD116AF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 00000010.00000003.1376512189.000001FD116A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1469113934.000001FD116A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1497926760.000001FD116AF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 00000010.00000003.1376512189.000001FD116A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1469113934.000001FD116A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1497926760.000001FD116AF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: file.exe

Virustotal: Detection: 37%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2220 -prefsLen 25302 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {343c6f86-1b5f-473e-9dba-35b770c7833f} 7776 "\\.\pipe\gecko-crash-server-pipe.7776" 1fd7576dd10 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3016 -parentBuildID 20230927232528 -prefsHandle 3060 -prefMapHandle 2996 -prefsLen 26317 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2796a079-c3f2-485a-9277-415ee10c3b63} 7776 "\\.\pipe\gecko-crash-server-pipe.7776" 1fd05fc6e10 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5132 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5180 -prefMapHandle 5176 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {99b798a6-e00b-468f-8fbe-32fc4b2fef5c} 7776 "\\.\pipe\gecko-crash-server-pipe.7776" 1fd0f5fab10 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2220 -prefsLen 25302 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {343c6f86-1b5f-473e-9dba-35b770c7833f} 7776 "\\.\pipe\gecko-crash-server-pipe.7776" 1fd7576dd10 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5132 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5180 -prefMapHandle 5176 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {99b798a6-e00b-468f-8fbe-32fc4b2fef5c} 7776 "\\.\pipe\gecko-crash-server-pipe.7776" 1fd0f5fab10 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3016 -parentBuildID 20230927232528 -prefsHandle 3060 -prefMapHandle 2996 -prefsLen 26317 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2796a079-c3f2-485a-9277-415ee10c3b63} 7776 "\\.\pipe\gecko-crash-server-pipe.7776" 1fd05fc6e10 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5132 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5180 -prefMapHandle 5176 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {99b798a6-e00b-468f-8fbe-32fc4b2fef5c} 7776 "\\.\pipe\gecko-crash-server-pipe.7776" 1fd0f5fab10 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.16.dr
Source:	Binary string: wshbth.pdbGCTL source: firefox.exe, 00000010.00000003.1401733187.000001FD02D9F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdbUGP source: firefox.exe, 00000010.00000003.1399175024.000001FD02DAE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdb source: firefox.exe, 00000010.00000003.1401143858.000001FD02DA8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdb source: firefox.exe, 00000010.00000003.1401733187.000001FD02D9F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdb source: firefox.exe, 00000010.00000003.1399175024.000001FD02DAE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdb source: firefox.exe, 00000010.00000003.1399808659.000001FD02DA0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.16.dr
Source:	Binary string: pnrpnsp.pdbUGP source: firefox.exe, 00000010.00000003.1401143858.000001FD02DA8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdbUGP source: firefox.exe, 00000010.00000003.1399808659.000001FD02DA0000.00000004.00000020.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00A042DE

Source: gmpopenh264.dll.tmp.16.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A20A76 push ecx; ret

0_2_00A20A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A1F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00A1F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A91C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00A91C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-96346

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 23_2_000001ED602AA637 rdtsc

23_2_000001ED602AA637

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.6 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A6DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00A6DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A3C2A2 FindFirstFileExW,	0_2_00A3C2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A768EE FindFirstFileW,FindClose,	0_2_00A768EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A7698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00A7698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A6D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00A6D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A6D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00A6D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A79642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00A79642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A7979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00A7979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A79B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00A79B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A75C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00A75C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00A042DE

Source: firefox.exe, 00000015.00000002.2506786044.000001B391D40000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll3
Source: firefox.exe, 00000015.00000002.2500170307.000001B39156A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.2504507482.000001ED60730000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2504674840.0000022569200000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2498994165.0000022568D5A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 00000015.00000002.2505713790.000001B391921000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000017.00000002.2498368201.000001ED5FF4A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWPns`
Source: firefox.exe, 00000015.00000002.2500170307.000001B39156A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`
Source: firefox.exe, 00000015.00000002.2506786044.000001B391D40000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.2504507482.000001ED60730000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 23_2_000001ED602AA637 rdtsc

23_2_000001ED602AA637

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A7EAA2 BlockInput,

0_2_00A7EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A32622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00A32622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00A042DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A24CE8 mov eax, dword ptr fs:[00000030h]

0_2_00A24CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A60B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00A60B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A32622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00A32622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A2083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00A2083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A209D5 SetUnhandledExceptionFilter,	0_2_00A209D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A20C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00A20C21

Source: C:\Users\user\Desktop\file.exe

0_2_00A61201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A42BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00A42BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A6B226 SendInput,keybd_event,

0_2_00A6B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A822DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_00A822DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00A60B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A61663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00A61663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A20698 cpuid

0_2_00A20698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A78195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00A78195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A5D27A GetUserNameW,

0_2_00A5D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A3B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_00A3B952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00A042DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match	File source: 00000000.00000003.1296873839.0000000000F5F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1236545654.0000000000F64000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7248, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match	File source: 00000000.00000003.1296873839.0000000000F5F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1236545654.0000000000F64000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7248, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A81204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00A81204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A81806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00A81806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	38%	Virustotal		Browse
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	Virustotal	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	Virustotal	Browse

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	high
star-mini.c10r.facebook.com	157.240.196.35	true	false	high
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	high
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	high
twitter.com	104.244.42.193	true	false	high
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	high
services.addons.mozilla.org	151.101.193.91	true	false	high
dyna.wikimedia.org	185.15.58.224	true	false	high
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	high
contile.services.mozilla.com	34.117.188.166	true	false	high
youtube.com	142.250.181.78	true	false	high
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	high
youtube-ui.l.google.com	172.217.17.78	true	false	high
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	high
reddit.map.fastly.net	151.101.129.140	true	false	high
ipv4only.arpa	192.0.0.170	true	false	high
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	high
push.services.mozilla.com	34.107.243.93	true	false	high
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	high
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	high
www.reddit.com	unknown	unknown	false	high
spocs.getpocket.com	unknown	unknown	false	high
content-signature-2.cdn.mozilla.net	unknown	unknown	false	high
support.mozilla.org	unknown	unknown	false	high
firefox.settings.services.mozilla.com	unknown	unknown	false	high
www.youtube.com	unknown	unknown	false	high
www.facebook.com	unknown	unknown	false	high
detectportal.firefox.com	unknown	unknown	false	high
normandy.cdn.mozilla.net	unknown	unknown	false	high
shavar.services.mozilla.com	unknown	unknown	false	high
www.wikipedia.org	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 00000015.00000002.2505386317.000001B391800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2503054990.000001ED60220000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2500265925.0000022568EA0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 00000010.00000003.1326075646.000001FD7FD78000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1494530147.000001FD0DA3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.2499865239.000001ED601C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2501476893.00000225691C4000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 00000015.00000002.2505386317.000001B391800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2503054990.000001ED60220000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2500265925.0000022568EA0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://datastudio.google.com/embed/reporting/	firefox.exe, 00000010.00000003.1355659626.000001FD0EFFB000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.mozilla.com0	gmpopenh264.dll.tmp.16.dr	false	high
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 00000010.00000003.1424534118.000001FD0DB3D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1405487078.000001FD0DB34000.00000004.00000800.00020000.00000000.sdmp	false	high
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000017.00000002.2499865239.000001ED60186000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2501476893.000002256918F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 00000015.00000002.2505386317.000001B391800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2503054990.000001ED60220000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2500265925.0000022568EA0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.leboncoin.fr/	firefox.exe, 00000010.00000003.1489693296.000001FD0E14D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://spocs.getpocket.com/spocs	firefox.exe, 00000010.00000003.1378636100.000001FD0F59D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.amazon.com/exec/obidos/external-search/?field-keywords=&ie=UTF-8&mode=blended&tag=mozill	firefox.exe, 00000010.00000003.1328148477.000001FD0E091000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mathiasbynens.be/notes/javascript-escapes#single	firefox.exe, 00000010.00000003.1455845256.000001FD06A30000.00000004.00000800.00020000.00000000.sdmp	false	high
https://completion.amazon.com/search/complete?q=	firefox.exe, 00000010.00000003.1285794356.000001FD05340000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1286072133.000001FD0537F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1285484262.000001FD05100000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1285645469.000001FD05321000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1285928088.000001FD05360000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 00000015.00000002.2505386317.000001B391800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2503054990.000001ED60220000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2500265925.0000022568EA0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 00000010.00000003.1498255105.000001FD11685000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1469113934.000001FD11685000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1376512189.000001FD11685000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 00000015.00000002.2505386317.000001B391800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2503054990.000001ED60220000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2500265925.0000022568EA0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/breach-details/	firefox.exe, 00000015.00000002.2505386317.000001B391800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2503054990.000001ED60220000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2500265925.0000022568EA0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://github.com/w3c/csswg-drafts/issues/4650	firefox.exe, 00000010.00000003.1380118807.000001FD0DA84000.00000004.00000800.00020000.00000000.sdmp	false	high
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 00000015.00000002.2505386317.000001B391800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2503054990.000001ED60220000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2500265925.0000022568EA0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://xhr.spec.whatwg.org/#sync-warning	firefox.exe, 00000010.00000003.1379003546.000001FD0DFE9000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 00000010.00000003.1285794356.000001FD05340000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1286072133.000001FD0537F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1285484262.000001FD05100000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1378636100.000001FD0F591000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1343278587.000001FD06953000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1472142075.000001FD0F591000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1345515663.000001FD06952000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1393867713.000001FD06940000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1341213409.000001FD06953000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1338294629.000001FD06953000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1285645469.000001FD05321000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1285928088.000001FD05360000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.msn.com	firefox.exe, 00000010.00000003.1491353975.000001FD08B33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1322770443.000001FD08B33000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/mozilla-services/screenshots	firefox.exe, 00000010.00000003.1285794356.000001FD05340000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1285484262.000001FD05100000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1285645469.000001FD05321000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1285928088.000001FD05360000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 00000015.00000002.2505386317.000001B391800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2503054990.000001ED60220000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2500265925.0000022568EA0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://youtube.com/account?=ht~	firefox.exe, 00000017.00000002.2504040206.000001ED602C0000.00000004.00000020.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/switching-devices?utm_source=panel-def	firefox.exe, 00000010.00000003.1325262894.000001FD0F395000.00000004.00000800.00020000.00000000.sdmp	false	high
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 00000015.00000002.2505386317.000001B391800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2503054990.000001ED60220000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2500265925.0000022568EA0000.00000002.10000000.00040000.00000000.sdmp	false	high
http://exslt.org/sets	firefox.exe, 00000010.00000003.1467852220.000001FD7E68A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 00000015.00000002.2505386317.000001B391800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2503054990.000001ED60220000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2500265925.0000022568EA0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://youtube.com/	firefox.exe, 00000010.00000003.1494357896.000001FD0DABC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1481653699.000001FD0788D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1388843748.000001FD0788D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1380118807.000001FD0DABC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1478649285.000001FD0DABC000.00000004.00000800.00020000.00000000.sdmp	false	high
https://content-signature-2.cdn.mozilla.net/	firefox.exe, 00000010.00000003.1328148477.000001FD0E0E5000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.S3DiLP_FhcLK	firefox.exe, 00000010.00000003.1474695727.000001FD0E1E6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.instagram.com/	firefox.exe, 00000010.00000003.1333605576.000001FD06837000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 00000015.00000002.2505386317.000001B391800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2503054990.000001ED60220000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2500265925.0000022568EA0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://api.accounts.firefox.com/v1	firefox.exe, 00000015.00000002.2505386317.000001B391800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2503054990.000001ED60220000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2500265925.0000022568EA0000.00000002.10000000.00040000.00000000.sdmp	false	high
http://exslt.org/common	firefox.exe, 00000010.00000003.1467852220.000001FD7E68A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ok.ru/	firefox.exe, 00000010.00000003.1323370250.000001FD0774A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.amazon.com/	firefox.exe, 00000010.00000003.1477581768.000001FD0DF75000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 00000015.00000002.2505386317.000001B391800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2503054990.000001ED60220000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2500265925.0000022568EA0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://fpn.firefox.com	firefox.exe, 00000010.00000003.1467248094.000001FD7EF89000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1375857274.000001FD7EF89000.00000004.00000800.00020000.00000000.sdmp	false	high
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	firefox.exe, 00000010.00000003.1379003546.000001FD0DFE9000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 00000015.00000002.2505386317.000001B391800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2503054990.000001ED60220000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2500265925.0000022568EA0000.00000002.10000000.00040000.00000000.sdmp	false	high
http://exslt.org/dates-and-times	firefox.exe, 00000010.00000003.1502584260.000001FD7E65B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1467852220.000001FD7E65B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.youtube.com/	firefox.exe, 00000010.00000003.1474695727.000001FD0E1F6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.2499865239.000001ED6010A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2501476893.000002256910C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 00000010.00000003.1356116307.000001FD05B2D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 00000015.00000002.2505386317.000001B391800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2503054990.000001ED60220000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2500265925.0000022568EA0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://MD8.mozilla.org/1/m	firefox.exe, 00000010.00000003.1321876728.000001FD0F474000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1472446090.000001FD0F474000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.bbc.co.uk/	firefox.exe, 00000010.00000003.1489693296.000001FD0E14D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 00000010.00000003.1378898265.000001FD0F2BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1493141016.000001FD0F2E7000.00000004.00000800.00020000.00000000.sdmp	false	high
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 00000010.00000003.1493851706.000001FD0DF0C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.2499865239.000001ED601C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2501476893.00000225691C4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://127.0.0.1:	firefox.exe, 00000010.00000003.1321176863.000001FD0F599000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1479342729.000001FD0D951000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1321176863.000001FD0F58D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1380270778.000001FD0D951000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1323370250.000001FD0774A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1494633856.000001FD0D953000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2505386317.000001B391800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2503054990.000001ED60220000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2500265925.0000022568EA0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 00000010.00000003.1356116307.000001FD05B2D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 00000010.00000003.1333605576.000001FD06828000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mo	firefox.exe, 00000010.00000003.1376512189.000001FD11685000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mitmdetection.services.mozilla.com/	firefox.exe, 00000015.00000002.2505386317.000001B391800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2503054990.000001ED60220000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2500265925.0000022568EA0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://amazon.com	firefox.exe, 00000010.00000003.1326075646.000001FD7FD78000.00000004.00000800.00020000.00000000.sdmp	false	high
http://detectportal.firefox.comP	firefox.exe, 00000010.00000003.1481046835.000001FD07ABD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1386312487.000001FD07ABD000.00000004.00000800.00020000.00000000.sdmp	false	high
https://youtube.com/account?=	recovery.jsonlz4.tmp.16.dr	false	high
https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg	firefox.exe, 00000010.00000003.1502424466.000001FD7E6B6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2501827173.000001B3917E4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.2499865239.000001ED601E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2504961449.0000022569303000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.16.dr	false	high
https://spocs.getpocket.com/	firefox.exe, 00000017.00000002.2499865239.000001ED60112000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2501476893.0000022569113000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 00000015.00000002.2505386317.000001B391800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2503054990.000001ED60220000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2500265925.0000022568EA0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 00000015.00000002.2505386317.000001B391800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2503054990.000001ED60220000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2500265925.0000022568EA0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 00000015.00000002.2505386317.000001B391800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2503054990.000001ED60220000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2500265925.0000022568EA0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.iqiyi.com/	firefox.exe, 00000010.00000003.1489693296.000001FD0E14D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1323370250.000001FD0774A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 00000015.00000002.2505386317.000001B391800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2503054990.000001ED60220000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2500265925.0000022568EA0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 00000015.00000002.2505386317.000001B391800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2503054990.000001ED60220000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2500265925.0000022568EA0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 00000015.00000002.2505386317.000001B391800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2503054990.000001ED60220000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2500265925.0000022568EA0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://spocs.getpocket.com/CN=The	firefox.exe, 00000019.00000002.2501476893.0000022569113000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 00000010.00000003.1380118807.000001FD0DA84000.00000004.00000800.00020000.00000000.sdmp	false	high
http://a9.com/-/spec/opensearch/1.0/	firefox.exe, 00000010.00000003.1475462037.000001FD0E0C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1328148477.000001FD0E0CF000.00000004.00000800.00020000.00000000.sdmp	false	high
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 00000015.00000002.2505386317.000001B391800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2503054990.000001ED60220000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2500265925.0000022568EA0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/user/dashboard	firefox.exe, 00000015.00000002.2505386317.000001B391800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2503054990.000001ED60220000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2500265925.0000022568EA0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 00000015.00000002.2505386317.000001B391800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2503054990.000001ED60220000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2500265925.0000022568EA0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://youtube.com/var(--focus-outline)	firefox.exe, 00000010.00000003.1481653699.000001FD0788D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1388843748.000001FD0788D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/about	firefox.exe, 00000015.00000002.2505386317.000001B391800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2503054990.000001ED60220000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2500265925.0000022568EA0000.00000002.10000000.00040000.00000000.sdmp	false	high
http://mozilla.org/MPL/2.0/.	firefox.exe, 00000010.00000003.1381902288.000001FD07EA7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1405487078.000001FD0DB13000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1457713405.000001FD05BB9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1501897169.000001FD0DC63000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1395900585.000001FD05AEF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1464765131.000001FD0663B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1483666332.000001FD068B4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1436423503.000001FD057EE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1449150596.000001FD04FFB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1323781037.000001FD05F54000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1497835217.000001FD04FFB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1330835872.000001FD066EB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1447775368.000001FD08E1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1296618009.000001FD057F2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1459962149.000001FD0533E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1291913113.000001FD05AEF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1333525702.000001FD066FB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1456117406.000001FD06932000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1323339074.000001FD077D3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1433960628.000001FD08EE8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1349393272.000001FD06CEE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://account.bellmedia.c	firefox.exe, 00000010.00000003.1491353975.000001FD08B33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1322770443.000001FD08B33000.00000004.00000800.00020000.00000000.sdmp	false	high
http://youtube.com/	firefox.exe, 00000010.00000003.1328148477.000001FD0E091000.00000004.00000800.00020000.00000000.sdmp	false	high
https://login.microsoftonline.com	firefox.exe, 00000010.00000003.1491353975.000001FD08B33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1322770443.000001FD08B33000.00000004.00000800.00020000.00000000.sdmp	false	high
https://coverage.mozilla.org	firefox.exe, 00000015.00000002.2505386317.000001B391800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2503054990.000001ED60220000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2500265925.0000022568EA0000.00000002.10000000.00040000.00000000.sdmp	false	high
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.16.dr	false	high
https://www.zhihu.com/	firefox.exe, 00000010.00000003.1323370250.000001FD0774A000.00000004.00000800.00020000.00000000.sdmp	false	high
http://x1.c.lencr.org/0	firefox.exe, 00000010.00000003.1376395400.000001FD116CE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1379613332.000001FD0DC68000.00000004.00000800.00020000.00000000.sdmp	false	high
http://x1.i.lencr.org/0	firefox.exe, 00000010.00000003.1376395400.000001FD116CE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1379613332.000001FD0DC68000.00000004.00000800.00020000.00000000.sdmp	false	high
http://a9.com/-/spec/opensearch/1.1/	firefox.exe, 00000010.00000003.1475462037.000001FD0E0C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1328148477.000001FD0E0CF000.00000004.00000800.00020000.00000000.sdmp	false	high
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 00000010.00000003.1424534118.000001FD0DB3D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1405487078.000001FD0DB34000.00000004.00000800.00020000.00000000.sdmp	false	high
https://blocked.cdn.mozilla.net/	firefox.exe, 00000015.00000002.2505386317.000001B391800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2503054990.000001ED60220000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2500265925.0000022568EA0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	firefox.exe, 00000010.00000003.1379003546.000001FD0DFDA000.00000004.00000800.00020000.00000000.sdmp	false	high
https://json-schema.org/draft/2019-09/schema	firefox.exe, 00000010.00000003.1493539123.000001FD0E14D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1489693296.000001FD0E14D000.00000004.00000800.00020000.00000000.sdmp	false	high
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	firefox.exe, 00000010.00000003.1379003546.000001FD0DFE9000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/?t=ffab&q=	firefox.exe, 00000010.00000003.1379185189.000001FD0DF75000.00000004.00000800.00020000.00000000.sdmp	false	high
https://profiler.firefox.com	firefox.exe, 00000015.00000002.2505386317.000001B391800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2503054990.000001ED60220000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2500265925.0000022568EA0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 00000010.00000003.1288950495.000001FD02B33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1287469467.000001FD02B33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1288676964.000001FD02B21000.00000004.00000800.00020000.00000000.sdmp	false	high
https://identity.mozilla.com/apps/relay	firefox.exe, 00000010.00000003.1390104629.000001FD07004000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mathiasbynens.be/	firefox.exe, 00000010.00000003.1455845256.000001FD06A30000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 00000015.00000002.2505386317.000001B391800000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2503054990.000001ED60220000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2500265925.0000022568EA0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 00000010.00000003.1480026988.000001FD08B37000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1322770443.000001FD08B37000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1491353975.000001FD08B37000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 00000010.00000003.1356116307.000001FD05B2D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 00000010.00000003.1288950495.000001FD02B33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1287469467.000001FD02B33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1288676964.000001FD02B21000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 00000010.00000003.1378898265.000001FD0F2BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1493141016.000001FD0F2E7000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
151.101.193.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
142.250.181.78	youtube.com	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1562044
Start date and time:	2024-11-25 06:36:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	31
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/34@66/12
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 95% Number of executed functions: 41 Number of non-executed functions: 313
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.32.237.164, 52.27.142.243, 34.209.229.249, 172.217.17.78, 88.221.134.209, 88.221.134.155, 172.217.17.42
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, otelrules.azureedge.net, slscr.update.microsoft.com, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, time.windows.com, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
00:37:14	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Cryptbot	Browse	34.116.198.130
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Cryptbot	Browse	34.116.198.130
FASTLYUS	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	https://sites.google.com/mdisrupt.com/rfp/home	Get hash	malicious	HTMLPhisher	Browse	151.101.194.137
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	425041987.html	Get hash	malicious	Unknown	Browse	151.101.194.109
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_3b636ac8-4ab4-4839-b2e3-b3220a7a0b96.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7957
Entropy (8bit):	5.17251984376539
Encrypted:	false
SSDEEP:	192:GMvMXJl+cbhbVbTbfbRbObtbyEl7nwr5JA6unSrDtTkd/S9n:GFucNhnzFSJQrU1nSrDhkd/cn
MD5:	020388F925ED44E70A4FCB26DD81B5B2
SHA1:	A2BB6E8C2F844151FB9F3D5A7EDDA05B234038D4
SHA-256:	27729E8AEF1E3FBB4D344F64135E4758C435D50F0B7E3A0D279516B148E0DB96
SHA-512:	F8AC38BE35E18E1875B032C04F19DED181160D6D177BDE4808369A046FDFE9D04AA35C65471E7A83FA1C620EC279DB1C2FCCBC874B85235584E35B371B2A0019
Malicious:	false
Preview:	{"type":"uninstall","id":"3b636ac8-4ab4-4839-b2e3-b3220a7a0b96","creationDate":"2024-11-25T06:42:55.268Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"a12d1cd1-4ce7-42ab-ae29-5c019c43f6ba","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_3b636ac8-4ab4-4839-b2e3-b3220a7a0b96.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7957
Entropy (8bit):	5.17251984376539
Encrypted:	false
SSDEEP:	192:GMvMXJl+cbhbVbTbfbRbObtbyEl7nwr5JA6unSrDtTkd/S9n:GFucNhnzFSJQrU1nSrDhkd/cn
MD5:	020388F925ED44E70A4FCB26DD81B5B2
SHA1:	A2BB6E8C2F844151FB9F3D5A7EDDA05B234038D4
SHA-256:	27729E8AEF1E3FBB4D344F64135E4758C435D50F0B7E3A0D279516B148E0DB96
SHA-512:	F8AC38BE35E18E1875B032C04F19DED181160D6D177BDE4808369A046FDFE9D04AA35C65471E7A83FA1C620EC279DB1C2FCCBC874B85235584E35B371B2A0019
Malicious:	false
Preview:	{"type":"uninstall","id":"3b636ac8-4ab4-4839-b2e3-b3220a7a0b96","creationDate":"2024-11-25T06:42:55.268Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"a12d1cd1-4ce7-42ab-ae29-5c019c43f6ba","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4514
Entropy (8bit):	4.941371713313271
Encrypted:	false
SSDEEP:	96:8S+OcaPUFqOdwNIOdvtkeQjvYZUBLir8P:8S+Oc+UAOdwiOdKeQjDLir8P
MD5:	023521EAB82CFFA85425FDBCF7131800
SHA1:	291E40EC0C52503C775D5B4E59A3C8AFAB5CFAA6
SHA-256:	D85E17626A87DC3A2381E7B6026F2192C27A4006202B6AB2AE5AE2F8CC1FEB8F
SHA-512:	BDDA1CE48A0878AFAEBF80544C59E80A87C840D1970ABF5B0FCC2880E02D32F56E7213D62E1D2DDA90B674D46A23A2F58667703E86E9F2BE6F6AC75280DDF92D
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"d14ccc2f-033b-49c7-a2e0-d7a247e302f1","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-05T07:41:33.819Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"mixed-content-level-2-roll-out-release-113":{"slug":"mixed-content-level-2-roll-out-release-113","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4514
Entropy (8bit):	4.941371713313271
Encrypted:	false
SSDEEP:	96:8S+OcaPUFqOdwNIOdvtkeQjvYZUBLir8P:8S+Oc+UAOdwiOdKeQjDLir8P
MD5:	023521EAB82CFFA85425FDBCF7131800
SHA1:	291E40EC0C52503C775D5B4E59A3C8AFAB5CFAA6
SHA-256:	D85E17626A87DC3A2381E7B6026F2192C27A4006202B6AB2AE5AE2F8CC1FEB8F
SHA-512:	BDDA1CE48A0878AFAEBF80544C59E80A87C840D1970ABF5B0FCC2880E02D32F56E7213D62E1D2DDA90B674D46A23A2F58667703E86E9F2BE6F6AC75280DDF92D
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"d14ccc2f-033b-49c7-a2e0-d7a247e302f1","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-05T07:41:33.819Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"mixed-content-level-2-roll-out-release-113":{"slug":"mixed-content-level-2-roll-out-release-113","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5318
Entropy (8bit):	6.62067557672702
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrwLUe:VTx2x2t0FDJ4NpwZMd0EJwLv
MD5:	A0DD0256A122A64D1C1A98C36F89F368
SHA1:	B82AF63B4A4261477DA4CD2AC34B4DD7BB5EBEA0
SHA-256:	EE9278644D02739D27E4FD9D8006AD49D9A0D80AD251BA2C3F144A408F65A9F3
SHA-512:	ED3AE377C1AD9E6694307CC60554665058541DD2BB80FEB1832616ACE39623E842DB3CD9153771ABD1874703DCBF4B81CABE050E2F2553D723A96A163AA41911
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5318
Entropy (8bit):	6.62067557672702
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrwLUe:VTx2x2t0FDJ4NpwZMd0EJwLv
MD5:	A0DD0256A122A64D1C1A98C36F89F368
SHA1:	B82AF63B4A4261477DA4CD2AC34B4DD7BB5EBEA0
SHA-256:	EE9278644D02739D27E4FD9D8006AD49D9A0D80AD251BA2C3F144A408F65A9F3
SHA-512:	ED3AE377C1AD9E6694307CC60554665058541DD2BB80FEB1832616ACE39623E842DB3CD9153771ABD1874703DCBF4B81CABE050E2F2553D723A96A163AA41911
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 4
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905141882491872
Encrypted:	false
SSDEEP:	24:DLSvwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:DKwae+QtMImelekKDa5
MD5:	8736A542C5564A922C47B19D9CC5E0F2
SHA1:	CE9D58967DA9B5356D6C1D8A482F9CE74DA9097A
SHA-256:	97CE5D8AFBB0AA610219C4FAC3927E32C91BFFD9FD971AF68C718E7B27E40077
SHA-512:	99777325893DC7A95FD49B2DA18D32D65F97CC7A8E482D78EDC32F63245457FA5A52750800C074D552D20B6A215604161FDC88763D93C76A8703470C3064196B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.186376962556299
Encrypted:	false
SSDEEP:	768:NI40vfXXQ4z6X4n44a4T4h4b4rhEhvj4Lw4m4x44g:NJhWvx
MD5:	C2A8F76D683C9F86054CA7775732A180
SHA1:	FB1F8B84825D53E58290E53D65F8A73C5794E281
SHA-256:	4744AACB03666A594CF1BB6E6491105F0AB600259D8E0BA483164F2AE9C90221
SHA-512:	F804B8CF7277D2F6E8AA8BDFFF099ECCEC00CE59FEB3F3EB47D5E4B36FBB2C23466233C966F53483F0DF365E13AB9BB9256B685645FC366A5A24C72907E54025
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{9f54712e-79e2-445b-974a-266a0185f206}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.186376962556299
Encrypted:	false
SSDEEP:	768:NI40vfXXQ4z6X4n44a4T4h4b4rhEhvj4Lw4m4x44g:NJhWvx
MD5:	C2A8F76D683C9F86054CA7775732A180
SHA1:	FB1F8B84825D53E58290E53D65F8A73C5794E281
SHA-256:	4744AACB03666A594CF1BB6E6491105F0AB600259D8E0BA483164F2AE9C90221
SHA-512:	F804B8CF7277D2F6E8AA8BDFFF099ECCEC00CE59FEB3F3EB47D5E4B36FBB2C23466233C966F53483F0DF365E13AB9BB9256B685645FC366A5A24C72907E54025
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{9f54712e-79e2-445b-974a-266a0185f206}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07326747388524033
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zkitG0t:DLhesh7Owd4+ji80
MD5:	D9E676E8D06E98FE3E635D1DC2E0AD8D
SHA1:	EB56A140FF8ECDB6B56285CADC664F2CD1568292
SHA-256:	E9822B03BB0316524ABFC55909374EE97B1E6C0B18A970A0B4C42F8994143E23
SHA-512:	1FE9C66A02140D55076A1F159A2B19F62AB391583FF3952E772282D085BC323F012D7BBBB66886ABAC8632315916277087E0AE6A0150D5FD4563E3D3346C3467
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.035325086693798996
Encrypted:	false
SSDEEP:	3:GtlstFz54mr5797SxhIll3lstFz54mr5797SxrltT89//alEl:GtWtp797IIl1Wtp797CD89XuM
MD5:	507036A84A7689A194079A267B46D48C
SHA1:	694B97948C21D93C4927F0BCCF6579C30419686E
SHA-256:	8E0C67523E5884BB1D417AC107F5D5BDB785874B32C21B8FEEBEBE136FE3E48F
SHA-512:	05C8BC4F3CE96F7A6E29B55A27BA0EE2A3746792629195309EDDBD3CCE38735E38977D6265132A5B49C13A8B3DD6DEA443D491728118D2185A01B7A03F588201
Malicious:	false
Preview:	..-......................qE]....}_V`...../....p...-......................qE]....}_V`...../....p.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.039920253262097694
Encrypted:	false
SSDEEP:	3:Ol1d9TKLYHtollfYGtTtl8rEXsxdwhml8XW3R2:Kj9TOYqt5l8dMhm93w
MD5:	A585EFE671F89A07C7EBFFC56D51E319
SHA1:	261E8113F2DC1DD5CEF355922070533B88AD7E39
SHA-256:	187C4A94FBFEC12CA93DBD89B52C8F3468368A34AFCCF14FB7B2D10F8F61FB2F
SHA-512:	17910A2736B553121BF3BBFBDD95938968FA9961D96153570128922C279A0D412CB5B948312CA8B8AFEF732073E740BEAAF6D1B7BD7DBC95509D605835ABE3AC
Malicious:	false
Preview:	7....-..........}_V`....6.b...9S........}_V`....]Eq....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1769), with CRLF line terminators
Category:	dropped
Size (bytes):	13214
Entropy (8bit):	5.478410383156397
Encrypted:	false
SSDEEP:	192:ldnSRkyYbBp61qUCaXv6VZDNa25RHNBw8dznSl:OeyqU6PZRPws0
MD5:	6F9D4EA2911DABC498A1B4702C1C13F2
SHA1:	86FA2F2E056D1DAF2DB73EDAA1357FB13F509B91
SHA-256:	B5F5778F924BEC3391B62ADB38151F7FB42DBDF4DF7E95DD6AEA60E8EF65320F
SHA-512:	C013B0E83A50B0D855912CE5B4832EB1060EA0FE373042AB2DE5174C1B0567084CB4BFDDB04369A7D824B2F92E7F3705CC7AF2E1837225663DC3C59EB6876583
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "27fb6245-bd08-4de6-8f4d-2ece3f597752");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1732516946);..user_pref("app.update.lastUpdateTime.background-update-timer", 1732516946);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1732516946);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173251

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1769), with CRLF line terminators
Category:	dropped
Size (bytes):	13214
Entropy (8bit):	5.478410383156397
Encrypted:	false
SSDEEP:	192:ldnSRkyYbBp61qUCaXv6VZDNa25RHNBw8dznSl:OeyqU6PZRPws0
MD5:	6F9D4EA2911DABC498A1B4702C1C13F2
SHA1:	86FA2F2E056D1DAF2DB73EDAA1357FB13F509B91
SHA-256:	B5F5778F924BEC3391B62ADB38151F7FB42DBDF4DF7E95DD6AEA60E8EF65320F
SHA-512:	C013B0E83A50B0D855912CE5B4832EB1060EA0FE373042AB2DE5174C1B0567084CB4BFDDB04369A7D824B2F92E7F3705CC7AF2E1837225663DC3C59EB6876583
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "27fb6245-bd08-4de6-8f4d-2ece3f597752");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1732516946);..user_pref("app.update.lastUpdateTime.background-update-timer", 1732516946);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1732516946);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173251

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	3:lSGBl/l/zl9l/AltllPltlnKollzvulJOlzALRWemFxu7TuRjBFbrl58lcV+wgn8:ltBl/lqN1K4BEJYqWvLue3FMOrMZ0l
MD5:	60C09456D6362C6FBED48C69AA342C3C
SHA1:	58B6E22DAA48C75958B429F662DEC1C011AE74D3
SHA-256:	FE1A432A2CD096B7EEA870D46D07F5197E34B4D10666E6E1C357FAA3F2FE2389
SHA-512:	936DBC887276EF07732783B50EAFE450A8598B0492B8F6C838B337EF3E8A6EA595E7C7A2FA4B3E881887FAAE2D207B953A4C65ED8C964D93118E00D3E03882BD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1568
Entropy (8bit):	6.354747241813884
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSf2UbLXnIg9/pnxQwRlszT5sKhicV3eHV6BoT1amhuj3pOOcUb4Ymm:GUpOx1EvnR6/3eM6T14584dHd
MD5:	DCB5921594266A9B73CFEE65D3800DBC
SHA1:	A6604886703D69BE1B880116D571340B725AB90C
SHA-256:	E2FB42792BE0EFC798C03CBDA9A325AA226E5198887A42C0B1F746DD6EA0EEDB
SHA-512:	830C213BA52D0ABFDA90B33BB665D2DD8E3FD9149853E9F1272ACBBDC57FE25886BF5CD5B4168FBEAABD8C49BCBF4B3D7F62F63338667AB35B2AAA7E1D263CAE
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{a23f59f1-fb53-4f17-8d92-7d3ce5569b6b}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1732516952089,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...4b3ac14b-43e5-4896-86e8-9e7d502ce1b5","zD..1...Wm..l........j..:....1":{..iUpdate...90,"startTim..P14593...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu....bbc25ad08ccc1b2d785bc1812d8faa4d50f401055c84...6d11bb3b0958223be","pa..p"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...22092,"originA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1568
Entropy (8bit):	6.354747241813884
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSf2UbLXnIg9/pnxQwRlszT5sKhicV3eHV6BoT1amhuj3pOOcUb4Ymm:GUpOx1EvnR6/3eM6T14584dHd
MD5:	DCB5921594266A9B73CFEE65D3800DBC
SHA1:	A6604886703D69BE1B880116D571340B725AB90C
SHA-256:	E2FB42792BE0EFC798C03CBDA9A325AA226E5198887A42C0B1F746DD6EA0EEDB
SHA-512:	830C213BA52D0ABFDA90B33BB665D2DD8E3FD9149853E9F1272ACBBDC57FE25886BF5CD5B4168FBEAABD8C49BCBF4B3D7F62F63338667AB35B2AAA7E1D263CAE
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{a23f59f1-fb53-4f17-8d92-7d3ce5569b6b}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1732516952089,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...4b3ac14b-43e5-4896-86e8-9e7d502ce1b5","zD..1...Wm..l........j..:....1":{..iUpdate...90,"startTim..P14593...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu....bbc25ad08ccc1b2d785bc1812d8faa4d50f401055c84...6d11bb3b0958223be","pa..p"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...22092,"originA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1568
Entropy (8bit):	6.354747241813884
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSf2UbLXnIg9/pnxQwRlszT5sKhicV3eHV6BoT1amhuj3pOOcUb4Ymm:GUpOx1EvnR6/3eM6T14584dHd
MD5:	DCB5921594266A9B73CFEE65D3800DBC
SHA1:	A6604886703D69BE1B880116D571340B725AB90C
SHA-256:	E2FB42792BE0EFC798C03CBDA9A325AA226E5198887A42C0B1F746DD6EA0EEDB
SHA-512:	830C213BA52D0ABFDA90B33BB665D2DD8E3FD9149853E9F1272ACBBDC57FE25886BF5CD5B4168FBEAABD8C49BCBF4B3D7F62F63338667AB35B2AAA7E1D263CAE
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{a23f59f1-fb53-4f17-8d92-7d3ce5569b6b}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1732516952089,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...4b3ac14b-43e5-4896-86e8-9e7d502ce1b5","zD..1...Wm..l........j..:....1":{..iUpdate...90,"startTim..P14593...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu....bbc25ad08ccc1b2d785bc1812d8faa4d50f401055c84...6d11bb3b0958223be","pa..p"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...22092,"originA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.036716340592952
Encrypted:	false
SSDEEP:	48:YrSAYneUQZpExB1+anO8e6WCVhhOjVkWAYzzc8rYMsku7f86SLAVL7J5FtsfAcb5:ycn+TEr5ZwoIhzzcHvbw6Kkdrc2Rn27
MD5:	6E05ABF948C63E5ACB0E0A5531E72361
SHA1:	8A570432E425AC391B92DA16F32AF90CF04FA973
SHA-256:	385829E347F2651B006D8B18E1FCF7CD3399B0F5A704C98069C4673AC448C272
SHA-512:	0FEDCB6B4AFF619B310E55CD2BD23F6D9ED2759B04D898F021C885AC1E7BE35438553EBF86C3624081E02DC99292DE7DE4B375C06C9B01E9F5C147C02818F252
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-11-25T06:42:10.983Z","profileAgeCreated":1696491685971,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.036716340592952
Encrypted:	false
SSDEEP:	48:YrSAYneUQZpExB1+anO8e6WCVhhOjVkWAYzzc8rYMsku7f86SLAVL7J5FtsfAcb5:ycn+TEr5ZwoIhzzcHvbw6Kkdrc2Rn27
MD5:	6E05ABF948C63E5ACB0E0A5531E72361
SHA1:	8A570432E425AC391B92DA16F32AF90CF04FA973
SHA-256:	385829E347F2651B006D8B18E1FCF7CD3399B0F5A704C98069C4673AC448C272
SHA-512:	0FEDCB6B4AFF619B310E55CD2BD23F6D9ED2759B04D898F021C885AC1E7BE35438553EBF86C3624081E02DC99292DE7DE4B375C06C9B01E9F5C147C02818F252
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-11-25T06:42:10.983Z","profileAgeCreated":1696491685971,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.592797222959452
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	922'624 bytes
MD5:	f8f6b3f05a3b3bfe1f5600ae9b33f059
SHA1:	8fd0d4770ccceada563470d85d022825b4adde33
SHA256:	8faa25a839f7163b52b8b26c672ce31f22c9a69eb29917a7d56ece2f39d4b68b
SHA512:	dc97ab1bcf3e197b9a8ac699393a187b715be6c4a6bf8fe5a5aa2c54ed4d7312ec047276039bee9c9b9c87510e64a729e95758593735a73b95753b8f0f675865
SSDEEP:	12288:vqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgapT4:vqDEvCTbMWu7rQYlBQcBiT6rprG8at4
TLSH:	1D159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67440A52 [Mon Nov 25 05:25:38 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007FBC544F9423h
jmp 00007FBC544F8D2Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FBC544F8F0Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FBC544F8EDAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FBC544FBACDh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007FBC544FBB18h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007FBC544FBB01h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0xa97c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xdf000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0xa97c	0xaa00	acc8a98cfb6408e5e2a346b5d6879002	False	0.3758501838235294	data	5.654199157276306	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xdf000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x1c44	data			1.0015201768933113
RT_GROUP_ICON	0xde3fc	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xde474	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xde488	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xde49c	0x14	data	English	Great Britain	1.25
RT_VERSION	0xde4b0	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xde58c	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2024 06:37:11.171881914 CET	49706	80	192.168.2.7	34.107.221.82
Nov 25, 2024 06:37:11.172228098 CET	49707	443	192.168.2.7	35.190.72.216
Nov 25, 2024 06:37:11.172267914 CET	443	49707	35.190.72.216	192.168.2.7
Nov 25, 2024 06:37:11.172473907 CET	49707	443	192.168.2.7	35.190.72.216
Nov 25, 2024 06:37:11.211546898 CET	49707	443	192.168.2.7	35.190.72.216
Nov 25, 2024 06:37:11.211564064 CET	443	49707	35.190.72.216	192.168.2.7
Nov 25, 2024 06:37:11.212035894 CET	49708	443	192.168.2.7	142.250.181.78
Nov 25, 2024 06:37:11.212079048 CET	443	49708	142.250.181.78	192.168.2.7
Nov 25, 2024 06:37:11.212160110 CET	49708	443	192.168.2.7	142.250.181.78
Nov 25, 2024 06:37:11.212165117 CET	49709	443	192.168.2.7	142.250.181.78
Nov 25, 2024 06:37:11.212229967 CET	443	49709	142.250.181.78	192.168.2.7
Nov 25, 2024 06:37:11.212409973 CET	49709	443	192.168.2.7	142.250.181.78
Nov 25, 2024 06:37:11.215869904 CET	49709	443	192.168.2.7	142.250.181.78
Nov 25, 2024 06:37:11.215890884 CET	443	49709	142.250.181.78	192.168.2.7
Nov 25, 2024 06:37:11.217155933 CET	49708	443	192.168.2.7	142.250.181.78
Nov 25, 2024 06:37:11.217171907 CET	443	49708	142.250.181.78	192.168.2.7
Nov 25, 2024 06:37:11.291448116 CET	80	49706	34.107.221.82	192.168.2.7
Nov 25, 2024 06:37:11.291954994 CET	49706	80	192.168.2.7	34.107.221.82
Nov 25, 2024 06:37:11.292140007 CET	49706	80	192.168.2.7	34.107.221.82
Nov 25, 2024 06:37:11.366034985 CET	49710	443	192.168.2.7	34.117.188.166
Nov 25, 2024 06:37:11.366090059 CET	443	49710	34.117.188.166	192.168.2.7
Nov 25, 2024 06:37:11.366700888 CET	49710	443	192.168.2.7	34.117.188.166
Nov 25, 2024 06:37:11.368454933 CET	49710	443	192.168.2.7	34.117.188.166
Nov 25, 2024 06:37:11.368474007 CET	443	49710	34.117.188.166	192.168.2.7
Nov 25, 2024 06:37:11.397602081 CET	49711	443	192.168.2.7	34.117.188.166
Nov 25, 2024 06:37:11.397629023 CET	443	49711	34.117.188.166	192.168.2.7
Nov 25, 2024 06:37:11.398327112 CET	49712	443	192.168.2.7	35.244.181.201
Nov 25, 2024 06:37:11.398432970 CET	443	49712	35.244.181.201	192.168.2.7
Nov 25, 2024 06:37:11.399271965 CET	49711	443	192.168.2.7	34.117.188.166
Nov 25, 2024 06:37:11.399374962 CET	49712	443	192.168.2.7	35.244.181.201
Nov 25, 2024 06:37:11.400717020 CET	49711	443	192.168.2.7	34.117.188.166
Nov 25, 2024 06:37:11.400736094 CET	443	49711	34.117.188.166	192.168.2.7
Nov 25, 2024 06:37:11.400886059 CET	49712	443	192.168.2.7	35.244.181.201
Nov 25, 2024 06:37:11.400926113 CET	443	49712	35.244.181.201	192.168.2.7
Nov 25, 2024 06:37:11.411586046 CET	80	49706	34.107.221.82	192.168.2.7
Nov 25, 2024 06:37:11.808000088 CET	49713	443	192.168.2.7	34.160.144.191
Nov 25, 2024 06:37:11.808039904 CET	443	49713	34.160.144.191	192.168.2.7
Nov 25, 2024 06:37:11.809556007 CET	49713	443	192.168.2.7	34.160.144.191
Nov 25, 2024 06:37:11.809640884 CET	49713	443	192.168.2.7	34.160.144.191
Nov 25, 2024 06:37:11.809648037 CET	443	49713	34.160.144.191	192.168.2.7
Nov 25, 2024 06:37:12.377309084 CET	80	49706	34.107.221.82	192.168.2.7
Nov 25, 2024 06:37:12.422976971 CET	49706	80	192.168.2.7	34.107.221.82
Nov 25, 2024 06:37:12.524933100 CET	443	49707	35.190.72.216	192.168.2.7
Nov 25, 2024 06:37:12.530554056 CET	49707	443	192.168.2.7	35.190.72.216
Nov 25, 2024 06:37:12.555207014 CET	49715	80	192.168.2.7	34.107.221.82
Nov 25, 2024 06:37:12.561630964 CET	49707	443	192.168.2.7	35.190.72.216
Nov 25, 2024 06:37:12.561645985 CET	443	49707	35.190.72.216	192.168.2.7
Nov 25, 2024 06:37:12.561755896 CET	49707	443	192.168.2.7	35.190.72.216
Nov 25, 2024 06:37:12.561979055 CET	443	49707	35.190.72.216	192.168.2.7
Nov 25, 2024 06:37:12.562263966 CET	49707	443	192.168.2.7	35.190.72.216
Nov 25, 2024 06:37:12.648391008 CET	443	49710	34.117.188.166	192.168.2.7
Nov 25, 2024 06:37:12.659346104 CET	443	49710	34.117.188.166	192.168.2.7
Nov 25, 2024 06:37:12.663295984 CET	49710	443	192.168.2.7	34.117.188.166
Nov 25, 2024 06:37:12.667578936 CET	49710	443	192.168.2.7	34.117.188.166
Nov 25, 2024 06:37:12.667587042 CET	443	49710	34.117.188.166	192.168.2.7
Nov 25, 2024 06:37:12.667673111 CET	49710	443	192.168.2.7	34.117.188.166
Nov 25, 2024 06:37:12.667849064 CET	443	49710	34.117.188.166	192.168.2.7
Nov 25, 2024 06:37:12.674670935 CET	80	49715	34.107.221.82	192.168.2.7
Nov 25, 2024 06:37:12.674892902 CET	443	49711	34.117.188.166	192.168.2.7
Nov 25, 2024 06:37:12.683109045 CET	49710	443	192.168.2.7	34.117.188.166
Nov 25, 2024 06:37:12.683176994 CET	49711	443	192.168.2.7	34.117.188.166
Nov 25, 2024 06:37:12.683177948 CET	49715	80	192.168.2.7	34.107.221.82
Nov 25, 2024 06:37:12.685234070 CET	49715	80	192.168.2.7	34.107.221.82
Nov 25, 2024 06:37:12.687453032 CET	49711	443	192.168.2.7	34.117.188.166
Nov 25, 2024 06:37:12.687469959 CET	443	49711	34.117.188.166	192.168.2.7
Nov 25, 2024 06:37:12.687519073 CET	49711	443	192.168.2.7	34.117.188.166
Nov 25, 2024 06:37:12.687693119 CET	443	49711	34.117.188.166	192.168.2.7
Nov 25, 2024 06:37:12.703259945 CET	49711	443	192.168.2.7	34.117.188.166
Nov 25, 2024 06:37:12.707006931 CET	443	49712	35.244.181.201	192.168.2.7
Nov 25, 2024 06:37:12.707097054 CET	49712	443	192.168.2.7	35.244.181.201
Nov 25, 2024 06:37:12.709995985 CET	49712	443	192.168.2.7	35.244.181.201
Nov 25, 2024 06:37:12.710011005 CET	443	49712	35.244.181.201	192.168.2.7
Nov 25, 2024 06:37:12.710289955 CET	443	49712	35.244.181.201	192.168.2.7
Nov 25, 2024 06:37:12.712157011 CET	49712	443	192.168.2.7	35.244.181.201
Nov 25, 2024 06:37:12.712239027 CET	49712	443	192.168.2.7	35.244.181.201
Nov 25, 2024 06:37:12.712316990 CET	443	49712	35.244.181.201	192.168.2.7
Nov 25, 2024 06:37:12.712543964 CET	49712	443	192.168.2.7	35.244.181.201
Nov 25, 2024 06:37:12.714030027 CET	49712	443	192.168.2.7	35.244.181.201
Nov 25, 2024 06:37:12.804729939 CET	80	49715	34.107.221.82	192.168.2.7
Nov 25, 2024 06:37:12.957045078 CET	443	49709	142.250.181.78	192.168.2.7
Nov 25, 2024 06:37:12.957828045 CET	443	49709	142.250.181.78	192.168.2.7
Nov 25, 2024 06:37:12.958049059 CET	49709	443	192.168.2.7	142.250.181.78
Nov 25, 2024 06:37:12.958117008 CET	443	49709	142.250.181.78	192.168.2.7
Nov 25, 2024 06:37:12.983051062 CET	49709	443	192.168.2.7	142.250.181.78
Nov 25, 2024 06:37:12.983094931 CET	443	49709	142.250.181.78	192.168.2.7
Nov 25, 2024 06:37:12.983170033 CET	49709	443	192.168.2.7	142.250.181.78
Nov 25, 2024 06:37:12.983334064 CET	443	49709	142.250.181.78	192.168.2.7
Nov 25, 2024 06:37:12.994726896 CET	49709	443	192.168.2.7	142.250.181.78
Nov 25, 2024 06:37:13.000387907 CET	443	49708	142.250.181.78	192.168.2.7
Nov 25, 2024 06:37:13.001430988 CET	443	49708	142.250.181.78	192.168.2.7
Nov 25, 2024 06:37:13.007338047 CET	443	49708	142.250.181.78	192.168.2.7
Nov 25, 2024 06:37:13.025444984 CET	443	49713	34.160.144.191	192.168.2.7
Nov 25, 2024 06:37:13.027729034 CET	49713	443	192.168.2.7	34.160.144.191
Nov 25, 2024 06:37:13.027733088 CET	49708	443	192.168.2.7	142.250.181.78
Nov 25, 2024 06:37:13.032442093 CET	49713	443	192.168.2.7	34.160.144.191
Nov 25, 2024 06:37:13.032449007 CET	443	49713	34.160.144.191	192.168.2.7
Nov 25, 2024 06:37:13.032785892 CET	443	49713	34.160.144.191	192.168.2.7
Nov 25, 2024 06:37:13.035794973 CET	49708	443	192.168.2.7	142.250.181.78
Nov 25, 2024 06:37:13.035818100 CET	443	49708	142.250.181.78	192.168.2.7
Nov 25, 2024 06:37:13.035896063 CET	49708	443	192.168.2.7	142.250.181.78
Nov 25, 2024 06:37:13.036031008 CET	443	49708	142.250.181.78	192.168.2.7
Nov 25, 2024 06:37:13.036798000 CET	49708	443	192.168.2.7	142.250.181.78
Nov 25, 2024 06:37:13.038841009 CET	49713	443	192.168.2.7	34.160.144.191
Nov 25, 2024 06:37:13.039072990 CET	443	49713	34.160.144.191	192.168.2.7
Nov 25, 2024 06:37:13.039079905 CET	49713	443	192.168.2.7	34.160.144.191
Nov 25, 2024 06:37:13.039091110 CET	443	49713	34.160.144.191	192.168.2.7
Nov 25, 2024 06:37:13.039278984 CET	49713	443	192.168.2.7	34.160.144.191
Nov 25, 2024 06:37:13.252691031 CET	49706	80	192.168.2.7	34.107.221.82
Nov 25, 2024 06:37:13.372526884 CET	80	49706	34.107.221.82	192.168.2.7
Nov 25, 2024 06:37:13.373183012 CET	49706	80	192.168.2.7	34.107.221.82
Nov 25, 2024 06:37:13.488467932 CET	49716	443	192.168.2.7	34.117.188.166
Nov 25, 2024 06:37:13.488518953 CET	443	49716	34.117.188.166	192.168.2.7
Nov 25, 2024 06:37:13.488682032 CET	49716	443	192.168.2.7	34.117.188.166
Nov 25, 2024 06:37:13.490380049 CET	49716	443	192.168.2.7	34.117.188.166
Nov 25, 2024 06:37:13.490397930 CET	443	49716	34.117.188.166	192.168.2.7
Nov 25, 2024 06:37:13.854254961 CET	49718	80	192.168.2.7	34.107.221.82
Nov 25, 2024 06:37:13.860961914 CET	80	49715	34.107.221.82	192.168.2.7
Nov 25, 2024 06:37:13.865959883 CET	49715	80	192.168.2.7	34.107.221.82
Nov 25, 2024 06:37:13.973733902 CET	80	49718	34.107.221.82	192.168.2.7
Nov 25, 2024 06:37:13.973860025 CET	49718	80	192.168.2.7	34.107.221.82
Nov 25, 2024 06:37:13.974055052 CET	49718	80	192.168.2.7	34.107.221.82
Nov 25, 2024 06:37:13.985698938 CET	80	49715	34.107.221.82	192.168.2.7
Nov 25, 2024 06:37:13.985761881 CET	49715	80	192.168.2.7	34.107.221.82
Nov 25, 2024 06:37:14.093480110 CET	80	49718	34.107.221.82	192.168.2.7
Nov 25, 2024 06:37:14.753429890 CET	443	49716	34.117.188.166	192.168.2.7
Nov 25, 2024 06:37:14.753519058 CET	49716	443	192.168.2.7	34.117.188.166
Nov 25, 2024 06:37:14.758554935 CET	49716	443	192.168.2.7	34.117.188.166
Nov 25, 2024 06:37:14.758569002 CET	443	49716	34.117.188.166	192.168.2.7
Nov 25, 2024 06:37:14.758678913 CET	49716	443	192.168.2.7	34.117.188.166
Nov 25, 2024 06:37:14.758722067 CET	443	49716	34.117.188.166	192.168.2.7
Nov 25, 2024 06:37:14.759071112 CET	49721	443	192.168.2.7	34.117.188.166
Nov 25, 2024 06:37:14.759103060 CET	443	49721	34.117.188.166	192.168.2.7
Nov 25, 2024 06:37:14.759133101 CET	49716	443	192.168.2.7	34.117.188.166
Nov 25, 2024 06:37:14.759330988 CET	49721	443	192.168.2.7	34.117.188.166
Nov 25, 2024 06:37:14.760601997 CET	49721	443	192.168.2.7	34.117.188.166
Nov 25, 2024 06:37:14.760612011 CET	443	49721	34.117.188.166	192.168.2.7
Nov 25, 2024 06:37:15.105412006 CET	80	49718	34.107.221.82	192.168.2.7
Nov 25, 2024 06:37:15.147599936 CET	49718	80	192.168.2.7	34.107.221.82
Nov 25, 2024 06:37:15.167850971 CET	49722	443	192.168.2.7	35.244.181.201
Nov 25, 2024 06:37:15.167884111 CET	443	49722	35.244.181.201	192.168.2.7
Nov 25, 2024 06:37:15.168550968 CET	49722	443	192.168.2.7	35.244.181.201
Nov 25, 2024 06:37:15.168643951 CET	49722	443	192.168.2.7	35.244.181.201
Nov 25, 2024 06:37:15.168653965 CET	443	49722	35.244.181.201	192.168.2.7
Nov 25, 2024 06:37:15.199999094 CET	49723	443	192.168.2.7	34.149.100.209
Nov 25, 2024 06:37:15.200050116 CET	443	49723	34.149.100.209	192.168.2.7
Nov 25, 2024 06:37:15.209604979 CET	49723	443	192.168.2.7	34.149.100.209
Nov 25, 2024 06:37:15.211122036 CET	49723	443	192.168.2.7	34.149.100.209
Nov 25, 2024 06:37:15.211139917 CET	443	49723	34.149.100.209	192.168.2.7
Nov 25, 2024 06:37:15.239882946 CET	49724	443	192.168.2.7	34.107.243.93
Nov 25, 2024 06:37:15.239924908 CET	443	49724	34.107.243.93	192.168.2.7
Nov 25, 2024 06:37:15.242273092 CET	49724	443	192.168.2.7	34.107.243.93
Nov 25, 2024 06:37:15.244148970 CET	49724	443	192.168.2.7	34.107.243.93
Nov 25, 2024 06:37:15.244163990 CET	443	49724	34.107.243.93	192.168.2.7
Nov 25, 2024 06:37:16.249763012 CET	443	49721	34.117.188.166	192.168.2.7
Nov 25, 2024 06:37:16.249955893 CET	49721	443	192.168.2.7	34.117.188.166
Nov 25, 2024 06:37:16.256824017 CET	49721	443	192.168.2.7	34.117.188.166
Nov 25, 2024 06:37:16.256829977 CET	443	49721	34.117.188.166	192.168.2.7
Nov 25, 2024 06:37:16.256927967 CET	49721	443	192.168.2.7	34.117.188.166
Nov 25, 2024 06:37:16.256989956 CET	443	49721	34.117.188.166	192.168.2.7
Nov 25, 2024 06:37:16.257199049 CET	49721	443	192.168.2.7	34.117.188.166
Nov 25, 2024 06:37:16.379077911 CET	443	49722	35.244.181.201	192.168.2.7
Nov 25, 2024 06:37:16.379182100 CET	49722	443	192.168.2.7	35.244.181.201
Nov 25, 2024 06:37:16.382064104 CET	49722	443	192.168.2.7	35.244.181.201
Nov 25, 2024 06:37:16.382071018 CET	443	49722	35.244.181.201	192.168.2.7
Nov 25, 2024 06:37:16.382303953 CET	443	49722	35.244.181.201	192.168.2.7
Nov 25, 2024 06:37:16.385102034 CET	49722	443	192.168.2.7	35.244.181.201
Nov 25, 2024 06:37:16.385169029 CET	49722	443	192.168.2.7	35.244.181.201
Nov 25, 2024 06:37:16.385234118 CET	443	49722	35.244.181.201	192.168.2.7
Nov 25, 2024 06:37:16.385324001 CET	49722	443	192.168.2.7	35.244.181.201
Nov 25, 2024 06:37:16.517306089 CET	443	49723	34.149.100.209	192.168.2.7
Nov 25, 2024 06:37:16.517318964 CET	443	49723	34.149.100.209	192.168.2.7
Nov 25, 2024 06:37:16.517671108 CET	49723	443	192.168.2.7	34.149.100.209
Nov 25, 2024 06:37:16.522176027 CET	49723	443	192.168.2.7	34.149.100.209
Nov 25, 2024 06:37:16.522192001 CET	443	49723	34.149.100.209	192.168.2.7
Nov 25, 2024 06:37:16.522321939 CET	49723	443	192.168.2.7	34.149.100.209
Nov 25, 2024 06:37:16.522489071 CET	443	49723	34.149.100.209	192.168.2.7
Nov 25, 2024 06:37:16.522542000 CET	49723	443	192.168.2.7	34.149.100.209
Nov 25, 2024 06:37:16.549941063 CET	443	49724	34.107.243.93	192.168.2.7
Nov 25, 2024 06:37:16.550014973 CET	49724	443	192.168.2.7	34.107.243.93
Nov 25, 2024 06:37:16.554354906 CET	49724	443	192.168.2.7	34.107.243.93
Nov 25, 2024 06:37:16.554366112 CET	443	49724	34.107.243.93	192.168.2.7
Nov 25, 2024 06:37:16.554435015 CET	49724	443	192.168.2.7	34.107.243.93
Nov 25, 2024 06:37:16.554585934 CET	443	49724	34.107.243.93	192.168.2.7
Nov 25, 2024 06:37:16.554718971 CET	49724	443	192.168.2.7	34.107.243.93
Nov 25, 2024 06:37:21.849325895 CET	49742	80	192.168.2.7	34.107.221.82
Nov 25, 2024 06:37:21.969496012 CET	80	49742	34.107.221.82	192.168.2.7
Nov 25, 2024 06:37:21.969589949 CET	49742	80	192.168.2.7	34.107.221.82
Nov 25, 2024 06:37:21.969830036 CET	49742	80	192.168.2.7	34.107.221.82
Nov 25, 2024 06:37:22.089245081 CET	80	49742	34.107.221.82	192.168.2.7
Nov 25, 2024 06:37:23.101938963 CET	80	49742	34.107.221.82	192.168.2.7
Nov 25, 2024 06:37:23.163484097 CET	49742	80	192.168.2.7	34.107.221.82
Nov 25, 2024 06:37:23.435326099 CET	49718	80	192.168.2.7	34.107.221.82
Nov 25, 2024 06:37:23.442861080 CET	49718	80	192.168.2.7	34.107.221.82
Nov 25, 2024 06:37:23.474942923 CET	49745	80	192.168.2.7	34.107.221.82
Nov 25, 2024 06:37:23.554845095 CET	80	49718	34.107.221.82	192.168.2.7
Nov 25, 2024 06:37:23.562674046 CET	80	49718	34.107.221.82	192.168.2.7
Nov 25, 2024 06:37:23.562853098 CET	49718	80	192.168.2.7	34.107.221.82
Nov 25, 2024 06:37:23.574779034 CET	49746	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:37:23.574829102 CET	443	49746	34.120.208.123	192.168.2.7
Nov 25, 2024 06:37:23.580331087 CET	49746	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:37:23.582803965 CET	49746	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:37:23.582835913 CET	443	49746	34.120.208.123	192.168.2.7
Nov 25, 2024 06:37:23.594449997 CET	80	49745	34.107.221.82	192.168.2.7
Nov 25, 2024 06:37:23.602478027 CET	49745	80	192.168.2.7	34.107.221.82
Nov 25, 2024 06:37:23.602720022 CET	49745	80	192.168.2.7	34.107.221.82
Nov 25, 2024 06:37:23.652384996 CET	49748	443	192.168.2.7	34.149.100.209
Nov 25, 2024 06:37:23.652410030 CET	443	49748	34.149.100.209	192.168.2.7
Nov 25, 2024 06:37:23.656568050 CET	49748	443	192.168.2.7	34.149.100.209
Nov 25, 2024 06:37:23.656745911 CET	49748	443	192.168.2.7	34.149.100.209
Nov 25, 2024 06:37:23.656757116 CET	443	49748	34.149.100.209	192.168.2.7
Nov 25, 2024 06:37:23.722162008 CET	80	49745	34.107.221.82	192.168.2.7
Nov 25, 2024 06:37:23.757498980 CET	49751	443	192.168.2.7	34.107.243.93
Nov 25, 2024 06:37:23.757627964 CET	443	49751	34.107.243.93	192.168.2.7
Nov 25, 2024 06:37:23.757757902 CET	49751	443	192.168.2.7	34.107.243.93
Nov 25, 2024 06:37:23.759727001 CET	49751	443	192.168.2.7	34.107.243.93
Nov 25, 2024 06:37:23.759788036 CET	443	49751	34.107.243.93	192.168.2.7
Nov 25, 2024 06:37:24.733535051 CET	80	49745	34.107.221.82	192.168.2.7
Nov 25, 2024 06:37:24.783930063 CET	49745	80	192.168.2.7	34.107.221.82
Nov 25, 2024 06:37:24.843193054 CET	443	49746	34.120.208.123	192.168.2.7
Nov 25, 2024 06:37:24.843332052 CET	49746	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:37:24.847950935 CET	49746	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:37:24.847966909 CET	443	49746	34.120.208.123	192.168.2.7
Nov 25, 2024 06:37:24.848051071 CET	49746	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:37:24.848156929 CET	443	49746	34.120.208.123	192.168.2.7
Nov 25, 2024 06:37:24.848294973 CET	49746	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:37:24.959865093 CET	443	49748	34.149.100.209	192.168.2.7
Nov 25, 2024 06:37:24.960216999 CET	49748	443	192.168.2.7	34.149.100.209
Nov 25, 2024 06:37:24.963982105 CET	49748	443	192.168.2.7	34.149.100.209
Nov 25, 2024 06:37:24.963992119 CET	443	49748	34.149.100.209	192.168.2.7
Nov 25, 2024 06:37:24.964337111 CET	443	49748	34.149.100.209	192.168.2.7
Nov 25, 2024 06:37:24.967096090 CET	49748	443	192.168.2.7	34.149.100.209
Nov 25, 2024 06:37:24.967207909 CET	49748	443	192.168.2.7	34.149.100.209
Nov 25, 2024 06:37:24.967328072 CET	443	49748	34.149.100.209	192.168.2.7
Nov 25, 2024 06:37:24.967396021 CET	49748	443	192.168.2.7	34.149.100.209
Nov 25, 2024 06:37:24.969233036 CET	443	49751	34.107.243.93	192.168.2.7
Nov 25, 2024 06:37:24.970691919 CET	49751	443	192.168.2.7	34.107.243.93
Nov 25, 2024 06:37:24.975075006 CET	49751	443	192.168.2.7	34.107.243.93
Nov 25, 2024 06:37:24.975106955 CET	443	49751	34.107.243.93	192.168.2.7
Nov 25, 2024 06:37:24.975169897 CET	49751	443	192.168.2.7	34.107.243.93
Nov 25, 2024 06:37:24.975259066 CET	443	49751	34.107.243.93	192.168.2.7
Nov 25, 2024 06:37:24.975337982 CET	49751	443	192.168.2.7	34.107.243.93
Nov 25, 2024 06:37:27.647562981 CET	49742	80	192.168.2.7	34.107.221.82
Nov 25, 2024 06:37:27.707639933 CET	49745	80	192.168.2.7	34.107.221.82
Nov 25, 2024 06:37:27.726991892 CET	49759	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:37:27.727042913 CET	443	49759	34.120.208.123	192.168.2.7
Nov 25, 2024 06:37:27.728713989 CET	49760	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:37:27.728740931 CET	443	49760	34.120.208.123	192.168.2.7
Nov 25, 2024 06:37:27.729027987 CET	49759	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:37:27.729181051 CET	49760	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:37:27.729181051 CET	49759	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:37:27.729197979 CET	443	49759	34.120.208.123	192.168.2.7
Nov 25, 2024 06:37:27.729341030 CET	49760	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:37:27.729352951 CET	443	49760	34.120.208.123	192.168.2.7
Nov 25, 2024 06:37:27.767716885 CET	80	49742	34.107.221.82	192.168.2.7
Nov 25, 2024 06:37:27.827286959 CET	80	49745	34.107.221.82	192.168.2.7
Nov 25, 2024 06:37:27.848169088 CET	49761	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:37:27.848222017 CET	443	49761	34.120.208.123	192.168.2.7
Nov 25, 2024 06:37:27.848440886 CET	49761	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:37:27.849874020 CET	49761	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:37:27.849904060 CET	443	49761	34.120.208.123	192.168.2.7
Nov 25, 2024 06:37:27.972529888 CET	80	49742	34.107.221.82	192.168.2.7
Nov 25, 2024 06:37:28.031353951 CET	49742	80	192.168.2.7	34.107.221.82
Nov 25, 2024 06:37:28.031558037 CET	80	49745	34.107.221.82	192.168.2.7
Nov 25, 2024 06:37:28.078223944 CET	49745	80	192.168.2.7	34.107.221.82
Nov 25, 2024 06:37:28.985418081 CET	443	49759	34.120.208.123	192.168.2.7
Nov 25, 2024 06:37:28.985544920 CET	443	49760	34.120.208.123	192.168.2.7
Nov 25, 2024 06:37:28.989398003 CET	49759	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:37:28.989413977 CET	49760	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:37:29.074114084 CET	49759	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:37:29.074161053 CET	443	49759	34.120.208.123	192.168.2.7
Nov 25, 2024 06:37:29.074525118 CET	443	49759	34.120.208.123	192.168.2.7
Nov 25, 2024 06:37:29.076385021 CET	49760	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:37:29.076431036 CET	443	49760	34.120.208.123	192.168.2.7
Nov 25, 2024 06:37:29.076464891 CET	49742	80	192.168.2.7	34.107.221.82
Nov 25, 2024 06:37:29.076792955 CET	443	49760	34.120.208.123	192.168.2.7
Nov 25, 2024 06:37:29.082468033 CET	49760	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:37:29.082468033 CET	49760	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:37:29.082545996 CET	49759	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:37:29.082669973 CET	443	49760	34.120.208.123	192.168.2.7
Nov 25, 2024 06:37:29.082746983 CET	443	49759	34.120.208.123	192.168.2.7
Nov 25, 2024 06:37:29.082767963 CET	49759	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:37:29.082791090 CET	443	49759	34.120.208.123	192.168.2.7
Nov 25, 2024 06:37:29.083030939 CET	49760	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:37:29.083262920 CET	49759	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:37:29.105266094 CET	443	49761	34.120.208.123	192.168.2.7
Nov 25, 2024 06:37:29.105365038 CET	49761	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:37:29.196095943 CET	80	49742	34.107.221.82	192.168.2.7
Nov 25, 2024 06:37:29.400502920 CET	80	49742	34.107.221.82	192.168.2.7
Nov 25, 2024 06:37:29.451258898 CET	49742	80	192.168.2.7	34.107.221.82
Nov 25, 2024 06:37:29.608422041 CET	49761	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:37:29.608452082 CET	443	49761	34.120.208.123	192.168.2.7
Nov 25, 2024 06:37:29.608514071 CET	49761	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:37:29.608685017 CET	443	49761	34.120.208.123	192.168.2.7
Nov 25, 2024 06:37:29.613526106 CET	49761	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:37:29.618932962 CET	49745	80	192.168.2.7	34.107.221.82
Nov 25, 2024 06:37:29.620183945 CET	49767	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:37:29.620215893 CET	443	49767	34.120.208.123	192.168.2.7
Nov 25, 2024 06:37:29.621160984 CET	49767	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:37:29.623075008 CET	49767	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:37:29.623086929 CET	443	49767	34.120.208.123	192.168.2.7
Nov 25, 2024 06:37:29.738461971 CET	80	49745	34.107.221.82	192.168.2.7
Nov 25, 2024 06:37:29.942497015 CET	80	49745	34.107.221.82	192.168.2.7
Nov 25, 2024 06:37:29.946584940 CET	49742	80	192.168.2.7	34.107.221.82
Nov 25, 2024 06:37:29.983867884 CET	49745	80	192.168.2.7	34.107.221.82
Nov 25, 2024 06:37:30.066334963 CET	80	49742	34.107.221.82	192.168.2.7
Nov 25, 2024 06:37:30.271421909 CET	80	49742	34.107.221.82	192.168.2.7
Nov 25, 2024 06:37:30.316071987 CET	49742	80	192.168.2.7	34.107.221.82
Nov 25, 2024 06:37:30.924906015 CET	443	49767	34.120.208.123	192.168.2.7
Nov 25, 2024 06:37:30.925024986 CET	49767	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:37:30.930098057 CET	49767	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:37:30.930109024 CET	443	49767	34.120.208.123	192.168.2.7
Nov 25, 2024 06:37:30.930273056 CET	49767	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:37:30.930283070 CET	443	49767	34.120.208.123	192.168.2.7
Nov 25, 2024 06:37:30.931612968 CET	49767	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:37:30.933697939 CET	49745	80	192.168.2.7	34.107.221.82
Nov 25, 2024 06:37:31.053287029 CET	80	49745	34.107.221.82	192.168.2.7
Nov 25, 2024 06:37:31.258729935 CET	80	49745	34.107.221.82	192.168.2.7
Nov 25, 2024 06:37:31.262991905 CET	49742	80	192.168.2.7	34.107.221.82
Nov 25, 2024 06:37:31.303944111 CET	49745	80	192.168.2.7	34.107.221.82
Nov 25, 2024 06:37:31.383857965 CET	80	49742	34.107.221.82	192.168.2.7
Nov 25, 2024 06:37:31.587527990 CET	80	49742	34.107.221.82	192.168.2.7
Nov 25, 2024 06:37:31.642112017 CET	49742	80	192.168.2.7	34.107.221.82
Nov 25, 2024 06:37:38.233514071 CET	49788	443	192.168.2.7	35.244.181.201
Nov 25, 2024 06:37:38.233551979 CET	443	49788	35.244.181.201	192.168.2.7
Nov 25, 2024 06:37:38.235014915 CET	49788	443	192.168.2.7	35.244.181.201
Nov 25, 2024 06:37:38.235251904 CET	49788	443	192.168.2.7	35.244.181.201
Nov 25, 2024 06:37:38.235263109 CET	443	49788	35.244.181.201	192.168.2.7
Nov 25, 2024 06:37:38.254731894 CET	49789	443	192.168.2.7	34.107.243.93
Nov 25, 2024 06:37:38.254784107 CET	443	49789	34.107.243.93	192.168.2.7
Nov 25, 2024 06:37:38.254965067 CET	49789	443	192.168.2.7	34.107.243.93
Nov 25, 2024 06:37:38.256496906 CET	49789	443	192.168.2.7	34.107.243.93
Nov 25, 2024 06:37:38.256516933 CET	443	49789	34.107.243.93	192.168.2.7
Nov 25, 2024 06:37:38.258594990 CET	49790	443	192.168.2.7	34.149.100.209
Nov 25, 2024 06:37:38.258616924 CET	443	49790	34.149.100.209	192.168.2.7
Nov 25, 2024 06:37:38.261568069 CET	49790	443	192.168.2.7	34.149.100.209
Nov 25, 2024 06:37:38.261984110 CET	49790	443	192.168.2.7	34.149.100.209
Nov 25, 2024 06:37:38.261998892 CET	443	49790	34.149.100.209	192.168.2.7
Nov 25, 2024 06:37:38.268320084 CET	49791	443	192.168.2.7	35.190.72.216
Nov 25, 2024 06:37:38.268331051 CET	443	49791	35.190.72.216	192.168.2.7
Nov 25, 2024 06:37:38.277291059 CET	49791	443	192.168.2.7	35.190.72.216
Nov 25, 2024 06:37:38.279439926 CET	49791	443	192.168.2.7	35.190.72.216
Nov 25, 2024 06:37:38.279463053 CET	443	49791	35.190.72.216	192.168.2.7
Nov 25, 2024 06:37:38.391671896 CET	49792	443	192.168.2.7	151.101.193.91
Nov 25, 2024 06:37:38.391758919 CET	443	49792	151.101.193.91	192.168.2.7
Nov 25, 2024 06:37:38.391927958 CET	49792	443	192.168.2.7	151.101.193.91
Nov 25, 2024 06:37:38.392041922 CET	49792	443	192.168.2.7	151.101.193.91
Nov 25, 2024 06:37:38.392064095 CET	443	49792	151.101.193.91	192.168.2.7
Nov 25, 2024 06:37:38.407797098 CET	49793	443	192.168.2.7	35.201.103.21
Nov 25, 2024 06:37:38.407876015 CET	443	49793	35.201.103.21	192.168.2.7
Nov 25, 2024 06:37:38.408045053 CET	49793	443	192.168.2.7	35.201.103.21
Nov 25, 2024 06:37:38.409435987 CET	49793	443	192.168.2.7	35.201.103.21
Nov 25, 2024 06:37:38.409498930 CET	443	49793	35.201.103.21	192.168.2.7
Nov 25, 2024 06:37:39.471088886 CET	443	49790	34.149.100.209	192.168.2.7
Nov 25, 2024 06:37:39.473119020 CET	49790	443	192.168.2.7	34.149.100.209
Nov 25, 2024 06:37:39.476301908 CET	49790	443	192.168.2.7	34.149.100.209
Nov 25, 2024 06:37:39.476311922 CET	443	49790	34.149.100.209	192.168.2.7
Nov 25, 2024 06:37:39.476578951 CET	443	49790	34.149.100.209	192.168.2.7
Nov 25, 2024 06:37:39.479392052 CET	49790	443	192.168.2.7	34.149.100.209
Nov 25, 2024 06:37:39.479522943 CET	49790	443	192.168.2.7	34.149.100.209
Nov 25, 2024 06:37:39.479558945 CET	443	49790	34.149.100.209	192.168.2.7
Nov 25, 2024 06:37:39.480178118 CET	49790	443	192.168.2.7	34.149.100.209
Nov 25, 2024 06:37:39.486434937 CET	49745	80	192.168.2.7	34.107.221.82
Nov 25, 2024 06:37:39.540091038 CET	443	49788	35.244.181.201	192.168.2.7
Nov 25, 2024 06:37:39.540529013 CET	49788	443	192.168.2.7	35.244.181.201
Nov 25, 2024 06:37:39.544431925 CET	49788	443	192.168.2.7	35.244.181.201
Nov 25, 2024 06:37:39.544444084 CET	443	49788	35.244.181.201	192.168.2.7
Nov 25, 2024 06:37:39.544728041 CET	443	49788	35.244.181.201	192.168.2.7
Nov 25, 2024 06:37:39.547712088 CET	49788	443	192.168.2.7	35.244.181.201
Nov 25, 2024 06:37:39.547849894 CET	49788	443	192.168.2.7	35.244.181.201
Nov 25, 2024 06:37:39.547861099 CET	443	49788	35.244.181.201	192.168.2.7
Nov 25, 2024 06:37:39.548538923 CET	49788	443	192.168.2.7	35.244.181.201
Nov 25, 2024 06:37:39.560059071 CET	443	49789	34.107.243.93	192.168.2.7
Nov 25, 2024 06:37:39.560147047 CET	49789	443	192.168.2.7	34.107.243.93
Nov 25, 2024 06:37:39.565587044 CET	49789	443	192.168.2.7	34.107.243.93
Nov 25, 2024 06:37:39.565592051 CET	443	49789	34.107.243.93	192.168.2.7
Nov 25, 2024 06:37:39.565665960 CET	49789	443	192.168.2.7	34.107.243.93
Nov 25, 2024 06:37:39.565772057 CET	443	49789	34.107.243.93	192.168.2.7
Nov 25, 2024 06:37:39.566051006 CET	49789	443	192.168.2.7	34.107.243.93
Nov 25, 2024 06:37:39.599678040 CET	443	49791	35.190.72.216	192.168.2.7
Nov 25, 2024 06:37:39.599690914 CET	443	49791	35.190.72.216	192.168.2.7
Nov 25, 2024 06:37:39.599746943 CET	49791	443	192.168.2.7	35.190.72.216
Nov 25, 2024 06:37:39.604806900 CET	49791	443	192.168.2.7	35.190.72.216
Nov 25, 2024 06:37:39.604813099 CET	443	49791	35.190.72.216	192.168.2.7
Nov 25, 2024 06:37:39.604892015 CET	49791	443	192.168.2.7	35.190.72.216
Nov 25, 2024 06:37:39.604999065 CET	443	49791	35.190.72.216	192.168.2.7
Nov 25, 2024 06:37:39.605645895 CET	49791	443	192.168.2.7	35.190.72.216
Nov 25, 2024 06:37:39.605860949 CET	80	49745	34.107.221.82	192.168.2.7
Nov 25, 2024 06:37:39.650460958 CET	443	49792	151.101.193.91	192.168.2.7
Nov 25, 2024 06:37:39.650537014 CET	49792	443	192.168.2.7	151.101.193.91
Nov 25, 2024 06:37:39.653582096 CET	49792	443	192.168.2.7	151.101.193.91
Nov 25, 2024 06:37:39.653600931 CET	443	49792	151.101.193.91	192.168.2.7
Nov 25, 2024 06:37:39.653841972 CET	443	49792	151.101.193.91	192.168.2.7
Nov 25, 2024 06:37:39.656303883 CET	49792	443	192.168.2.7	151.101.193.91
Nov 25, 2024 06:37:39.656408072 CET	49792	443	192.168.2.7	151.101.193.91
Nov 25, 2024 06:37:39.656428099 CET	443	49792	151.101.193.91	192.168.2.7
Nov 25, 2024 06:37:39.656610012 CET	49792	443	192.168.2.7	151.101.193.91
Nov 25, 2024 06:37:39.666440964 CET	49798	443	192.168.2.7	35.244.181.201
Nov 25, 2024 06:37:39.666481972 CET	443	49798	35.244.181.201	192.168.2.7
Nov 25, 2024 06:37:39.667367935 CET	49798	443	192.168.2.7	35.244.181.201
Nov 25, 2024 06:37:39.667542934 CET	49798	443	192.168.2.7	35.244.181.201
Nov 25, 2024 06:37:39.667556047 CET	443	49798	35.244.181.201	192.168.2.7
Nov 25, 2024 06:37:39.669667959 CET	49799	443	192.168.2.7	35.244.181.201
Nov 25, 2024 06:37:39.669698000 CET	443	49799	35.244.181.201	192.168.2.7
Nov 25, 2024 06:37:39.669785023 CET	49799	443	192.168.2.7	35.244.181.201
Nov 25, 2024 06:37:39.669792891 CET	443	49793	35.201.103.21	192.168.2.7
Nov 25, 2024 06:37:39.669886112 CET	49799	443	192.168.2.7	35.244.181.201
Nov 25, 2024 06:37:39.669902086 CET	443	49799	35.244.181.201	192.168.2.7
Nov 25, 2024 06:37:39.670795918 CET	49793	443	192.168.2.7	35.201.103.21
Nov 25, 2024 06:37:39.674298048 CET	49800	443	192.168.2.7	35.244.181.201
Nov 25, 2024 06:37:39.674324989 CET	443	49800	35.244.181.201	192.168.2.7
Nov 25, 2024 06:37:39.674890041 CET	49800	443	192.168.2.7	35.244.181.201
Nov 25, 2024 06:37:39.674985886 CET	49800	443	192.168.2.7	35.244.181.201
Nov 25, 2024 06:37:39.674998045 CET	443	49800	35.244.181.201	192.168.2.7
Nov 25, 2024 06:37:39.676703930 CET	49793	443	192.168.2.7	35.201.103.21
Nov 25, 2024 06:37:39.676717043 CET	443	49793	35.201.103.21	192.168.2.7
Nov 25, 2024 06:37:39.676778078 CET	49793	443	192.168.2.7	35.201.103.21
Nov 25, 2024 06:37:39.676903963 CET	443	49793	35.201.103.21	192.168.2.7
Nov 25, 2024 06:37:39.677409887 CET	49793	443	192.168.2.7	35.201.103.21
Nov 25, 2024 06:37:39.681349039 CET	49801	443	192.168.2.7	34.149.100.209
Nov 25, 2024 06:37:39.681375980 CET	443	49801	34.149.100.209	192.168.2.7
Nov 25, 2024 06:37:39.681552887 CET	49801	443	192.168.2.7	34.149.100.209
Nov 25, 2024 06:37:39.681675911 CET	49801	443	192.168.2.7	34.149.100.209
Nov 25, 2024 06:37:39.681689024 CET	443	49801	34.149.100.209	192.168.2.7
Nov 25, 2024 06:37:39.810652971 CET	80	49745	34.107.221.82	192.168.2.7
Nov 25, 2024 06:37:39.823748112 CET	49742	80	192.168.2.7	34.107.221.82
Nov 25, 2024 06:37:39.863228083 CET	49745	80	192.168.2.7	34.107.221.82
Nov 25, 2024 06:37:39.943474054 CET	80	49742	34.107.221.82	192.168.2.7
Nov 25, 2024 06:37:40.147680998 CET	80	49742	34.107.221.82	192.168.2.7
Nov 25, 2024 06:37:40.195311069 CET	49742	80	192.168.2.7	34.107.221.82
Nov 25, 2024 06:37:40.876513004 CET	443	49798	35.244.181.201	192.168.2.7
Nov 25, 2024 06:37:40.876600981 CET	49798	443	192.168.2.7	35.244.181.201
Nov 25, 2024 06:37:40.879715919 CET	49798	443	192.168.2.7	35.244.181.201
Nov 25, 2024 06:37:40.879725933 CET	443	49798	35.244.181.201	192.168.2.7
Nov 25, 2024 06:37:40.879973888 CET	443	49798	35.244.181.201	192.168.2.7
Nov 25, 2024 06:37:40.882973909 CET	49798	443	192.168.2.7	35.244.181.201
Nov 25, 2024 06:37:40.883090019 CET	443	49798	35.244.181.201	192.168.2.7
Nov 25, 2024 06:37:40.883116961 CET	49798	443	192.168.2.7	35.244.181.201
Nov 25, 2024 06:37:40.883124113 CET	443	49798	35.244.181.201	192.168.2.7
Nov 25, 2024 06:37:40.883320093 CET	49798	443	192.168.2.7	35.244.181.201
Nov 25, 2024 06:37:40.888076067 CET	49745	80	192.168.2.7	34.107.221.82
Nov 25, 2024 06:37:40.930376053 CET	443	49800	35.244.181.201	192.168.2.7
Nov 25, 2024 06:37:40.930463076 CET	49800	443	192.168.2.7	35.244.181.201
Nov 25, 2024 06:37:40.934186935 CET	49800	443	192.168.2.7	35.244.181.201
Nov 25, 2024 06:37:40.934192896 CET	443	49800	35.244.181.201	192.168.2.7
Nov 25, 2024 06:37:40.934428930 CET	443	49800	35.244.181.201	192.168.2.7
Nov 25, 2024 06:37:40.937098980 CET	49800	443	192.168.2.7	35.244.181.201
Nov 25, 2024 06:37:40.937215090 CET	49800	443	192.168.2.7	35.244.181.201
Nov 25, 2024 06:37:40.937225103 CET	443	49801	34.149.100.209	192.168.2.7
Nov 25, 2024 06:37:40.937227964 CET	443	49800	35.244.181.201	192.168.2.7
Nov 25, 2024 06:37:40.946875095 CET	49800	443	192.168.2.7	35.244.181.201
Nov 25, 2024 06:37:40.946898937 CET	49801	443	192.168.2.7	34.149.100.209
Nov 25, 2024 06:37:40.951049089 CET	49801	443	192.168.2.7	34.149.100.209
Nov 25, 2024 06:37:40.951097965 CET	443	49801	34.149.100.209	192.168.2.7
Nov 25, 2024 06:37:40.951328993 CET	443	49801	34.149.100.209	192.168.2.7
Nov 25, 2024 06:37:40.954312086 CET	49801	443	192.168.2.7	34.149.100.209
Nov 25, 2024 06:37:40.954440117 CET	49801	443	192.168.2.7	34.149.100.209
Nov 25, 2024 06:37:40.954477072 CET	443	49801	34.149.100.209	192.168.2.7
Nov 25, 2024 06:37:40.955034018 CET	49801	443	192.168.2.7	34.149.100.209
Nov 25, 2024 06:37:40.971635103 CET	443	49799	35.244.181.201	192.168.2.7
Nov 25, 2024 06:37:40.971999884 CET	49799	443	192.168.2.7	35.244.181.201
Nov 25, 2024 06:37:40.974879026 CET	49799	443	192.168.2.7	35.244.181.201
Nov 25, 2024 06:37:40.974910021 CET	443	49799	35.244.181.201	192.168.2.7
Nov 25, 2024 06:37:40.975153923 CET	443	49799	35.244.181.201	192.168.2.7
Nov 25, 2024 06:37:40.978137016 CET	49799	443	192.168.2.7	35.244.181.201
Nov 25, 2024 06:37:40.978240967 CET	49799	443	192.168.2.7	35.244.181.201
Nov 25, 2024 06:37:40.978286982 CET	443	49799	35.244.181.201	192.168.2.7
Nov 25, 2024 06:37:40.982105970 CET	49799	443	192.168.2.7	35.244.181.201
Nov 25, 2024 06:37:41.007622004 CET	80	49745	34.107.221.82	192.168.2.7
Nov 25, 2024 06:37:41.211947918 CET	80	49745	34.107.221.82	192.168.2.7
Nov 25, 2024 06:37:41.215651035 CET	49742	80	192.168.2.7	34.107.221.82
Nov 25, 2024 06:37:41.251708984 CET	49745	80	192.168.2.7	34.107.221.82
Nov 25, 2024 06:37:41.335223913 CET	80	49742	34.107.221.82	192.168.2.7
Nov 25, 2024 06:37:41.539469004 CET	80	49742	34.107.221.82	192.168.2.7
Nov 25, 2024 06:37:41.584041119 CET	49742	80	192.168.2.7	34.107.221.82
Nov 25, 2024 06:37:51.228212118 CET	49745	80	192.168.2.7	34.107.221.82
Nov 25, 2024 06:37:51.349242926 CET	80	49745	34.107.221.82	192.168.2.7
Nov 25, 2024 06:37:51.544884920 CET	49742	80	192.168.2.7	34.107.221.82
Nov 25, 2024 06:37:51.664572954 CET	80	49742	34.107.221.82	192.168.2.7
Nov 25, 2024 06:37:59.582937002 CET	49846	443	192.168.2.7	34.107.243.93
Nov 25, 2024 06:37:59.583002090 CET	443	49846	34.107.243.93	192.168.2.7
Nov 25, 2024 06:37:59.583298922 CET	49846	443	192.168.2.7	34.107.243.93
Nov 25, 2024 06:37:59.584507942 CET	49846	443	192.168.2.7	34.107.243.93
Nov 25, 2024 06:37:59.584537983 CET	443	49846	34.107.243.93	192.168.2.7
Nov 25, 2024 06:38:00.799930096 CET	443	49846	34.107.243.93	192.168.2.7
Nov 25, 2024 06:38:00.800110102 CET	49846	443	192.168.2.7	34.107.243.93
Nov 25, 2024 06:38:00.805157900 CET	49846	443	192.168.2.7	34.107.243.93
Nov 25, 2024 06:38:00.805186033 CET	443	49846	34.107.243.93	192.168.2.7
Nov 25, 2024 06:38:00.805226088 CET	49846	443	192.168.2.7	34.107.243.93
Nov 25, 2024 06:38:00.805408955 CET	443	49846	34.107.243.93	192.168.2.7
Nov 25, 2024 06:38:00.805850029 CET	49846	443	192.168.2.7	34.107.243.93
Nov 25, 2024 06:38:00.807857037 CET	49745	80	192.168.2.7	34.107.221.82
Nov 25, 2024 06:38:00.927331924 CET	80	49745	34.107.221.82	192.168.2.7
Nov 25, 2024 06:38:01.131634951 CET	80	49745	34.107.221.82	192.168.2.7
Nov 25, 2024 06:38:01.134640932 CET	49742	80	192.168.2.7	34.107.221.82
Nov 25, 2024 06:38:01.182485104 CET	49745	80	192.168.2.7	34.107.221.82
Nov 25, 2024 06:38:01.254170895 CET	80	49742	34.107.221.82	192.168.2.7
Nov 25, 2024 06:38:01.458777905 CET	80	49742	34.107.221.82	192.168.2.7
Nov 25, 2024 06:38:01.499000072 CET	49742	80	192.168.2.7	34.107.221.82
Nov 25, 2024 06:38:07.840967894 CET	49866	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:38:07.841043949 CET	443	49866	34.120.208.123	192.168.2.7
Nov 25, 2024 06:38:07.841238022 CET	49867	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:38:07.841278076 CET	443	49867	34.120.208.123	192.168.2.7
Nov 25, 2024 06:38:07.841454029 CET	49868	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:38:07.841480017 CET	443	49868	34.120.208.123	192.168.2.7
Nov 25, 2024 06:38:07.841749907 CET	49869	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:38:07.841798067 CET	443	49869	34.120.208.123	192.168.2.7
Nov 25, 2024 06:38:07.841931105 CET	49870	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:38:07.841938972 CET	443	49870	34.120.208.123	192.168.2.7
Nov 25, 2024 06:38:07.842245102 CET	49871	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:38:07.842253923 CET	443	49871	34.120.208.123	192.168.2.7
Nov 25, 2024 06:38:07.847462893 CET	49866	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:38:07.847467899 CET	49868	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:38:07.847484112 CET	49867	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:38:07.847497940 CET	49870	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:38:07.847521067 CET	49869	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:38:07.847668886 CET	49871	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:38:07.847758055 CET	49866	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:38:07.847793102 CET	443	49866	34.120.208.123	192.168.2.7
Nov 25, 2024 06:38:07.847919941 CET	49867	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:38:07.847933054 CET	443	49867	34.120.208.123	192.168.2.7
Nov 25, 2024 06:38:07.847954988 CET	49868	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:38:07.847969055 CET	443	49868	34.120.208.123	192.168.2.7
Nov 25, 2024 06:38:07.848040104 CET	49869	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:38:07.848050117 CET	443	49869	34.120.208.123	192.168.2.7
Nov 25, 2024 06:38:07.848090887 CET	49870	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:38:07.848102093 CET	443	49870	34.120.208.123	192.168.2.7
Nov 25, 2024 06:38:07.848154068 CET	49871	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:38:07.848165035 CET	443	49871	34.120.208.123	192.168.2.7
Nov 25, 2024 06:38:09.104247093 CET	443	49868	34.120.208.123	192.168.2.7
Nov 25, 2024 06:38:09.104378939 CET	49868	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:38:09.105180025 CET	443	49871	34.120.208.123	192.168.2.7
Nov 25, 2024 06:38:09.105256081 CET	49871	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:38:09.107841969 CET	49868	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:38:09.107848883 CET	443	49868	34.120.208.123	192.168.2.7
Nov 25, 2024 06:38:09.108108997 CET	443	49868	34.120.208.123	192.168.2.7
Nov 25, 2024 06:38:09.110284090 CET	49871	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:38:09.110289097 CET	443	49871	34.120.208.123	192.168.2.7
Nov 25, 2024 06:38:09.110559940 CET	443	49871	34.120.208.123	192.168.2.7
Nov 25, 2024 06:38:09.111701012 CET	443	49870	34.120.208.123	192.168.2.7
Nov 25, 2024 06:38:09.113730907 CET	49868	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:38:09.113878965 CET	443	49868	34.120.208.123	192.168.2.7
Nov 25, 2024 06:38:09.114021063 CET	49868	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:38:09.114038944 CET	443	49868	34.120.208.123	192.168.2.7
Nov 25, 2024 06:38:09.114634037 CET	49874	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:38:09.114669085 CET	443	49874	34.120.208.123	192.168.2.7
Nov 25, 2024 06:38:09.114939928 CET	49871	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:38:09.115035057 CET	49871	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:38:09.115056038 CET	443	49871	34.120.208.123	192.168.2.7
Nov 25, 2024 06:38:09.115480900 CET	49875	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:38:09.115544081 CET	443	49875	34.120.208.123	192.168.2.7
Nov 25, 2024 06:38:09.117160082 CET	49871	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:38:09.117227077 CET	49870	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:38:09.117227077 CET	49868	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:38:09.117229939 CET	49871	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:38:09.117254019 CET	49875	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:38:09.117264986 CET	49874	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:38:09.121416092 CET	49870	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:38:09.121428967 CET	443	49870	34.120.208.123	192.168.2.7
Nov 25, 2024 06:38:09.121829033 CET	49745	80	192.168.2.7	34.107.221.82
Nov 25, 2024 06:38:09.121838093 CET	443	49870	34.120.208.123	192.168.2.7
Nov 25, 2024 06:38:09.122536898 CET	49874	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:38:09.122553110 CET	443	49874	34.120.208.123	192.168.2.7
Nov 25, 2024 06:38:09.122837067 CET	49875	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:38:09.122854948 CET	443	49875	34.120.208.123	192.168.2.7
Nov 25, 2024 06:38:09.124988079 CET	49870	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:38:09.124988079 CET	49870	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:38:09.125395060 CET	443	49870	34.120.208.123	192.168.2.7
Nov 25, 2024 06:38:09.128063917 CET	49870	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:38:09.152008057 CET	443	49869	34.120.208.123	192.168.2.7
Nov 25, 2024 06:38:09.152050972 CET	443	49867	34.120.208.123	192.168.2.7
Nov 25, 2024 06:38:09.152190924 CET	49869	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:38:09.152648926 CET	49867	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:38:09.153006077 CET	443	49866	34.120.208.123	192.168.2.7
Nov 25, 2024 06:38:09.153100967 CET	49866	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:38:09.155571938 CET	49869	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:38:09.155586004 CET	443	49869	34.120.208.123	192.168.2.7
Nov 25, 2024 06:38:09.155843019 CET	443	49869	34.120.208.123	192.168.2.7
Nov 25, 2024 06:38:09.157933950 CET	49866	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:38:09.157942057 CET	443	49866	34.120.208.123	192.168.2.7
Nov 25, 2024 06:38:09.158322096 CET	443	49866	34.120.208.123	192.168.2.7
Nov 25, 2024 06:38:09.160164118 CET	49867	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:38:09.160171986 CET	443	49867	34.120.208.123	192.168.2.7
Nov 25, 2024 06:38:09.160444021 CET	443	49867	34.120.208.123	192.168.2.7
Nov 25, 2024 06:38:09.165105104 CET	49869	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:38:09.165271044 CET	443	49869	34.120.208.123	192.168.2.7
Nov 25, 2024 06:38:09.165424109 CET	49869	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:38:09.165431023 CET	443	49869	34.120.208.123	192.168.2.7
Nov 25, 2024 06:38:09.165519953 CET	49866	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:38:09.165617943 CET	49866	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:38:09.165726900 CET	443	49866	34.120.208.123	192.168.2.7
Nov 25, 2024 06:38:09.166049004 CET	49867	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:38:09.166208029 CET	443	49867	34.120.208.123	192.168.2.7
Nov 25, 2024 06:38:09.166237116 CET	49867	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:38:09.166243076 CET	443	49867	34.120.208.123	192.168.2.7
Nov 25, 2024 06:38:09.167200089 CET	49866	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:38:09.241350889 CET	80	49745	34.107.221.82	192.168.2.7
Nov 25, 2024 06:38:09.379343987 CET	443	49869	34.120.208.123	192.168.2.7
Nov 25, 2024 06:38:09.379343033 CET	443	49867	34.120.208.123	192.168.2.7
Nov 25, 2024 06:38:09.379405022 CET	49869	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:38:09.379517078 CET	49867	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:38:09.445327044 CET	80	49745	34.107.221.82	192.168.2.7
Nov 25, 2024 06:38:09.449193954 CET	49742	80	192.168.2.7	34.107.221.82
Nov 25, 2024 06:38:09.494184017 CET	49745	80	192.168.2.7	34.107.221.82
Nov 25, 2024 06:38:09.568743944 CET	80	49742	34.107.221.82	192.168.2.7
Nov 25, 2024 06:38:09.773006916 CET	80	49742	34.107.221.82	192.168.2.7
Nov 25, 2024 06:38:09.825898886 CET	49742	80	192.168.2.7	34.107.221.82
Nov 25, 2024 06:38:10.455188036 CET	443	49874	34.120.208.123	192.168.2.7
Nov 25, 2024 06:38:10.455202103 CET	443	49875	34.120.208.123	192.168.2.7
Nov 25, 2024 06:38:10.455415964 CET	49874	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:38:10.455425978 CET	49875	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:38:10.459470034 CET	49874	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:38:10.459496021 CET	443	49874	34.120.208.123	192.168.2.7
Nov 25, 2024 06:38:10.459783077 CET	443	49874	34.120.208.123	192.168.2.7
Nov 25, 2024 06:38:10.462680101 CET	49875	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:38:10.462688923 CET	443	49875	34.120.208.123	192.168.2.7
Nov 25, 2024 06:38:10.462980986 CET	443	49875	34.120.208.123	192.168.2.7
Nov 25, 2024 06:38:10.466275930 CET	49874	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:38:10.466427088 CET	49874	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:38:10.466459036 CET	443	49874	34.120.208.123	192.168.2.7
Nov 25, 2024 06:38:10.466656923 CET	49875	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:38:10.466733932 CET	49875	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:38:10.466829062 CET	443	49875	34.120.208.123	192.168.2.7
Nov 25, 2024 06:38:10.467282057 CET	49874	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:38:10.467298031 CET	49875	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:38:10.467379093 CET	49874	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:38:10.468445063 CET	49875	443	192.168.2.7	34.120.208.123
Nov 25, 2024 06:38:10.469929934 CET	49745	80	192.168.2.7	34.107.221.82
Nov 25, 2024 06:38:10.589416981 CET	80	49745	34.107.221.82	192.168.2.7
Nov 25, 2024 06:38:10.793241024 CET	80	49745	34.107.221.82	192.168.2.7
Nov 25, 2024 06:38:10.796251059 CET	49742	80	192.168.2.7	34.107.221.82
Nov 25, 2024 06:38:10.844002962 CET	49745	80	192.168.2.7	34.107.221.82
Nov 25, 2024 06:38:10.915735960 CET	80	49742	34.107.221.82	192.168.2.7
Nov 25, 2024 06:38:11.120107889 CET	80	49742	34.107.221.82	192.168.2.7
Nov 25, 2024 06:38:11.167181015 CET	49742	80	192.168.2.7	34.107.221.82
Nov 25, 2024 06:38:17.001208067 CET	49745	80	192.168.2.7	34.107.221.82
Nov 25, 2024 06:38:17.120647907 CET	80	49745	34.107.221.82	192.168.2.7
Nov 25, 2024 06:38:17.324492931 CET	80	49745	34.107.221.82	192.168.2.7
Nov 25, 2024 06:38:17.331609964 CET	49742	80	192.168.2.7	34.107.221.82
Nov 25, 2024 06:38:17.376635075 CET	49745	80	192.168.2.7	34.107.221.82
Nov 25, 2024 06:38:17.451144934 CET	80	49742	34.107.221.82	192.168.2.7
Nov 25, 2024 06:38:17.655970097 CET	80	49742	34.107.221.82	192.168.2.7
Nov 25, 2024 06:38:17.708765984 CET	49742	80	192.168.2.7	34.107.221.82
Nov 25, 2024 06:38:27.336704016 CET	49745	80	192.168.2.7	34.107.221.82
Nov 25, 2024 06:38:27.456435919 CET	80	49745	34.107.221.82	192.168.2.7
Nov 25, 2024 06:38:27.675194025 CET	49742	80	192.168.2.7	34.107.221.82
Nov 25, 2024 06:38:27.794851065 CET	80	49742	34.107.221.82	192.168.2.7
Nov 25, 2024 06:38:37.465758085 CET	49745	80	192.168.2.7	34.107.221.82
Nov 25, 2024 06:38:37.585553885 CET	80	49745	34.107.221.82	192.168.2.7
Nov 25, 2024 06:38:37.804467916 CET	49742	80	192.168.2.7	34.107.221.82
Nov 25, 2024 06:38:37.924927950 CET	80	49742	34.107.221.82	192.168.2.7
Nov 25, 2024 06:38:40.954093933 CET	49949	443	192.168.2.7	34.107.243.93
Nov 25, 2024 06:38:40.954128981 CET	443	49949	34.107.243.93	192.168.2.7
Nov 25, 2024 06:38:40.954462051 CET	49949	443	192.168.2.7	34.107.243.93
Nov 25, 2024 06:38:40.955938101 CET	49949	443	192.168.2.7	34.107.243.93
Nov 25, 2024 06:38:40.955949068 CET	443	49949	34.107.243.93	192.168.2.7
Nov 25, 2024 06:38:42.265748978 CET	443	49949	34.107.243.93	192.168.2.7
Nov 25, 2024 06:38:42.265912056 CET	49949	443	192.168.2.7	34.107.243.93
Nov 25, 2024 06:38:42.274651051 CET	49949	443	192.168.2.7	34.107.243.93
Nov 25, 2024 06:38:42.274672985 CET	443	49949	34.107.243.93	192.168.2.7
Nov 25, 2024 06:38:42.274765015 CET	49949	443	192.168.2.7	34.107.243.93
Nov 25, 2024 06:38:42.274790049 CET	443	49949	34.107.243.93	192.168.2.7
Nov 25, 2024 06:38:42.274967909 CET	49949	443	192.168.2.7	34.107.243.93
Nov 25, 2024 06:38:42.277570009 CET	49745	80	192.168.2.7	34.107.221.82
Nov 25, 2024 06:38:42.397336960 CET	80	49745	34.107.221.82	192.168.2.7
Nov 25, 2024 06:38:42.601093054 CET	80	49745	34.107.221.82	192.168.2.7
Nov 25, 2024 06:38:42.605372906 CET	49742	80	192.168.2.7	34.107.221.82
Nov 25, 2024 06:38:42.649518013 CET	49745	80	192.168.2.7	34.107.221.82
Nov 25, 2024 06:38:42.724941969 CET	80	49742	34.107.221.82	192.168.2.7
Nov 25, 2024 06:38:42.929462910 CET	80	49742	34.107.221.82	192.168.2.7
Nov 25, 2024 06:38:42.981539965 CET	49742	80	192.168.2.7	34.107.221.82
Nov 25, 2024 06:38:52.608525991 CET	49745	80	192.168.2.7	34.107.221.82
Nov 25, 2024 06:38:52.728132963 CET	80	49745	34.107.221.82	192.168.2.7
Nov 25, 2024 06:38:52.947189093 CET	49742	80	192.168.2.7	34.107.221.82
Nov 25, 2024 06:38:53.066699028 CET	80	49742	34.107.221.82	192.168.2.7
Nov 25, 2024 06:39:02.737405062 CET	49745	80	192.168.2.7	34.107.221.82
Nov 25, 2024 06:39:02.857105017 CET	80	49745	34.107.221.82	192.168.2.7
Nov 25, 2024 06:39:03.076050997 CET	49742	80	192.168.2.7	34.107.221.82
Nov 25, 2024 06:39:03.195555925 CET	80	49742	34.107.221.82	192.168.2.7
Nov 25, 2024 06:39:12.861592054 CET	49745	80	192.168.2.7	34.107.221.82
Nov 25, 2024 06:39:12.981035948 CET	80	49745	34.107.221.82	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2024 06:37:11.030607939 CET	65100	53	192.168.2.7	1.1.1.1
Nov 25, 2024 06:37:11.032500982 CET	52388	53	192.168.2.7	1.1.1.1
Nov 25, 2024 06:37:11.169157982 CET	53	52388	1.1.1.1	192.168.2.7
Nov 25, 2024 06:37:11.172575951 CET	55213	53	192.168.2.7	1.1.1.1
Nov 25, 2024 06:37:11.173472881 CET	52481	53	192.168.2.7	1.1.1.1
Nov 25, 2024 06:37:11.173883915 CET	63429	53	192.168.2.7	1.1.1.1
Nov 25, 2024 06:37:11.226380110 CET	57871	53	192.168.2.7	1.1.1.1
Nov 25, 2024 06:37:11.257998943 CET	52905	53	192.168.2.7	1.1.1.1
Nov 25, 2024 06:37:11.309309006 CET	53	55213	1.1.1.1	192.168.2.7
Nov 25, 2024 06:37:11.310271025 CET	53	52481	1.1.1.1	192.168.2.7
Nov 25, 2024 06:37:11.310791969 CET	53	63429	1.1.1.1	192.168.2.7
Nov 25, 2024 06:37:11.321054935 CET	50639	53	192.168.2.7	1.1.1.1
Nov 25, 2024 06:37:11.327245951 CET	51725	53	192.168.2.7	1.1.1.1
Nov 25, 2024 06:37:11.327485085 CET	64264	53	192.168.2.7	1.1.1.1
Nov 25, 2024 06:37:11.360584021 CET	54488	53	192.168.2.7	1.1.1.1
Nov 25, 2024 06:37:11.363748074 CET	53	57871	1.1.1.1	192.168.2.7
Nov 25, 2024 06:37:11.394906998 CET	53	52905	1.1.1.1	192.168.2.7
Nov 25, 2024 06:37:11.458575964 CET	53	50639	1.1.1.1	192.168.2.7
Nov 25, 2024 06:37:11.464442015 CET	53	64264	1.1.1.1	192.168.2.7
Nov 25, 2024 06:37:11.500121117 CET	53	54488	1.1.1.1	192.168.2.7
Nov 25, 2024 06:37:11.670284033 CET	53	51725	1.1.1.1	192.168.2.7
Nov 25, 2024 06:37:11.807085991 CET	52021	53	192.168.2.7	1.1.1.1
Nov 25, 2024 06:37:11.807404041 CET	49525	53	192.168.2.7	1.1.1.1
Nov 25, 2024 06:37:11.809029102 CET	49405	53	192.168.2.7	1.1.1.1
Nov 25, 2024 06:37:11.945008993 CET	53	49525	1.1.1.1	192.168.2.7
Nov 25, 2024 06:37:11.945215940 CET	53	52021	1.1.1.1	192.168.2.7
Nov 25, 2024 06:37:11.946230888 CET	53	49405	1.1.1.1	192.168.2.7
Nov 25, 2024 06:37:11.946595907 CET	65169	53	192.168.2.7	1.1.1.1
Nov 25, 2024 06:37:11.947069883 CET	56000	53	192.168.2.7	1.1.1.1
Nov 25, 2024 06:37:11.947530985 CET	55918	53	192.168.2.7	1.1.1.1
Nov 25, 2024 06:37:12.083694935 CET	53	65169	1.1.1.1	192.168.2.7
Nov 25, 2024 06:37:12.084683895 CET	53	55918	1.1.1.1	192.168.2.7
Nov 25, 2024 06:37:12.084803104 CET	53	56000	1.1.1.1	192.168.2.7
Nov 25, 2024 06:37:12.320723057 CET	63444	53	192.168.2.7	1.1.1.1
Nov 25, 2024 06:37:12.393584013 CET	63043	53	192.168.2.7	1.1.1.1
Nov 25, 2024 06:37:12.394273996 CET	50875	53	192.168.2.7	1.1.1.1
Nov 25, 2024 06:37:12.403043985 CET	60480	53	192.168.2.7	1.1.1.1
Nov 25, 2024 06:37:12.457720995 CET	53	63444	1.1.1.1	192.168.2.7
Nov 25, 2024 06:37:12.474426031 CET	59988	53	192.168.2.7	1.1.1.1
Nov 25, 2024 06:37:12.530514002 CET	53	63043	1.1.1.1	192.168.2.7
Nov 25, 2024 06:37:12.531074047 CET	53	50875	1.1.1.1	192.168.2.7
Nov 25, 2024 06:37:12.612399101 CET	53	59988	1.1.1.1	192.168.2.7
Nov 25, 2024 06:37:14.234082937 CET	54780	53	192.168.2.7	1.1.1.1
Nov 25, 2024 06:37:14.662050009 CET	50697	53	192.168.2.7	1.1.1.1
Nov 25, 2024 06:37:14.798881054 CET	53	50697	1.1.1.1	192.168.2.7
Nov 25, 2024 06:37:14.801049948 CET	56585	53	192.168.2.7	1.1.1.1
Nov 25, 2024 06:37:15.042658091 CET	64294	53	192.168.2.7	1.1.1.1
Nov 25, 2024 06:37:15.060619116 CET	53	52985	1.1.1.1	192.168.2.7
Nov 25, 2024 06:37:15.078701019 CET	53	56585	1.1.1.1	192.168.2.7
Nov 25, 2024 06:37:15.085434914 CET	64449	53	192.168.2.7	1.1.1.1
Nov 25, 2024 06:37:15.179339886 CET	53	64294	1.1.1.1	192.168.2.7
Nov 25, 2024 06:37:15.200158119 CET	50474	53	192.168.2.7	1.1.1.1
Nov 25, 2024 06:37:15.222477913 CET	53	64449	1.1.1.1	192.168.2.7
Nov 25, 2024 06:37:15.340574980 CET	53	50474	1.1.1.1	192.168.2.7
Nov 25, 2024 06:37:15.341437101 CET	57436	53	192.168.2.7	1.1.1.1
Nov 25, 2024 06:37:15.478653908 CET	53	57436	1.1.1.1	192.168.2.7
Nov 25, 2024 06:37:16.620699883 CET	64405	53	192.168.2.7	1.1.1.1
Nov 25, 2024 06:37:16.757658005 CET	53	64405	1.1.1.1	192.168.2.7
Nov 25, 2024 06:37:18.436261892 CET	59365	53	192.168.2.7	1.1.1.1
Nov 25, 2024 06:37:18.573312998 CET	53	59365	1.1.1.1	192.168.2.7
Nov 25, 2024 06:37:18.574421883 CET	60602	53	192.168.2.7	1.1.1.1
Nov 25, 2024 06:37:18.712090015 CET	53	60602	1.1.1.1	192.168.2.7
Nov 25, 2024 06:37:23.473699093 CET	64028	53	192.168.2.7	1.1.1.1
Nov 25, 2024 06:37:23.574853897 CET	64023	53	192.168.2.7	1.1.1.1
Nov 25, 2024 06:37:23.610466003 CET	53	64028	1.1.1.1	192.168.2.7
Nov 25, 2024 06:37:23.619533062 CET	51736	53	192.168.2.7	1.1.1.1
Nov 25, 2024 06:37:23.712033987 CET	53	64023	1.1.1.1	192.168.2.7
Nov 25, 2024 06:37:23.712778091 CET	61814	53	192.168.2.7	1.1.1.1
Nov 25, 2024 06:37:23.756266117 CET	53	51736	1.1.1.1	192.168.2.7
Nov 25, 2024 06:37:23.757342100 CET	62931	53	192.168.2.7	1.1.1.1
Nov 25, 2024 06:37:23.850296021 CET	53	61814	1.1.1.1	192.168.2.7
Nov 25, 2024 06:37:23.894376040 CET	53	62931	1.1.1.1	192.168.2.7
Nov 25, 2024 06:37:29.077557087 CET	49944	53	192.168.2.7	1.1.1.1
Nov 25, 2024 06:37:29.077905893 CET	50547	53	192.168.2.7	1.1.1.1
Nov 25, 2024 06:37:29.077905893 CET	59878	53	192.168.2.7	1.1.1.1
Nov 25, 2024 06:37:29.214384079 CET	53	49944	1.1.1.1	192.168.2.7
Nov 25, 2024 06:37:29.215034008 CET	53	50547	1.1.1.1	192.168.2.7
Nov 25, 2024 06:37:29.215363026 CET	53	59878	1.1.1.1	192.168.2.7
Nov 25, 2024 06:37:29.603781939 CET	54586	53	192.168.2.7	1.1.1.1
Nov 25, 2024 06:37:29.603904963 CET	62018	53	192.168.2.7	1.1.1.1
Nov 25, 2024 06:37:29.604109049 CET	49601	53	192.168.2.7	1.1.1.1
Nov 25, 2024 06:37:29.740746975 CET	53	49601	1.1.1.1	192.168.2.7
Nov 25, 2024 06:37:29.741596937 CET	62590	53	192.168.2.7	1.1.1.1
Nov 25, 2024 06:37:29.741827011 CET	53	62018	1.1.1.1	192.168.2.7
Nov 25, 2024 06:37:29.742556095 CET	54082	53	192.168.2.7	1.1.1.1
Nov 25, 2024 06:37:29.880139112 CET	53	54082	1.1.1.1	192.168.2.7
Nov 25, 2024 06:37:29.881238937 CET	65251	53	192.168.2.7	1.1.1.1
Nov 25, 2024 06:37:29.902930021 CET	53	54586	1.1.1.1	192.168.2.7
Nov 25, 2024 06:37:29.905213118 CET	56609	53	192.168.2.7	1.1.1.1
Nov 25, 2024 06:37:29.983089924 CET	53	62590	1.1.1.1	192.168.2.7
Nov 25, 2024 06:37:29.984292030 CET	51016	53	192.168.2.7	1.1.1.1
Nov 25, 2024 06:37:30.018855095 CET	53	65251	1.1.1.1	192.168.2.7
Nov 25, 2024 06:37:30.020514011 CET	52995	53	192.168.2.7	1.1.1.1
Nov 25, 2024 06:37:30.111232042 CET	53	56609	1.1.1.1	192.168.2.7
Nov 25, 2024 06:37:30.112781048 CET	61627	53	192.168.2.7	1.1.1.1
Nov 25, 2024 06:37:30.121678114 CET	53	51016	1.1.1.1	192.168.2.7
Nov 25, 2024 06:37:30.122684956 CET	60699	53	192.168.2.7	1.1.1.1
Nov 25, 2024 06:37:30.160015106 CET	53	52995	1.1.1.1	192.168.2.7
Nov 25, 2024 06:37:30.161022902 CET	59297	53	192.168.2.7	1.1.1.1
Nov 25, 2024 06:37:30.249574900 CET	53	61627	1.1.1.1	192.168.2.7
Nov 25, 2024 06:37:30.260215998 CET	53	60699	1.1.1.1	192.168.2.7
Nov 25, 2024 06:37:30.261328936 CET	55686	53	192.168.2.7	1.1.1.1
Nov 25, 2024 06:37:30.396775961 CET	53	59297	1.1.1.1	192.168.2.7
Nov 25, 2024 06:37:30.397984982 CET	53	55686	1.1.1.1	192.168.2.7
Nov 25, 2024 06:37:38.234560966 CET	52429	53	192.168.2.7	1.1.1.1
Nov 25, 2024 06:37:38.253796101 CET	62535	53	192.168.2.7	1.1.1.1
Nov 25, 2024 06:37:38.254559994 CET	54184	53	192.168.2.7	1.1.1.1
Nov 25, 2024 06:37:38.269069910 CET	51842	53	192.168.2.7	1.1.1.1
Nov 25, 2024 06:37:38.371855974 CET	53	52429	1.1.1.1	192.168.2.7
Nov 25, 2024 06:37:38.390593052 CET	53	62535	1.1.1.1	192.168.2.7
Nov 25, 2024 06:37:38.391510010 CET	53	54184	1.1.1.1	192.168.2.7
Nov 25, 2024 06:37:38.391834021 CET	62432	53	192.168.2.7	1.1.1.1
Nov 25, 2024 06:37:38.406919956 CET	53	51842	1.1.1.1	192.168.2.7
Nov 25, 2024 06:37:38.407984018 CET	59643	53	192.168.2.7	1.1.1.1
Nov 25, 2024 06:37:38.528593063 CET	53	62432	1.1.1.1	192.168.2.7
Nov 25, 2024 06:37:38.529443026 CET	53737	53	192.168.2.7	1.1.1.1
Nov 25, 2024 06:37:38.545749903 CET	53	59643	1.1.1.1	192.168.2.7
Nov 25, 2024 06:37:38.549110889 CET	53217	53	192.168.2.7	1.1.1.1
Nov 25, 2024 06:37:38.667258978 CET	53	53737	1.1.1.1	192.168.2.7
Nov 25, 2024 06:37:38.686321020 CET	53	53217	1.1.1.1	192.168.2.7
Nov 25, 2024 06:37:59.583265066 CET	53104	53	192.168.2.7	1.1.1.1
Nov 25, 2024 06:37:59.727082014 CET	53	53104	1.1.1.1	192.168.2.7
Nov 25, 2024 06:38:00.808140039 CET	65239	53	192.168.2.7	1.1.1.1
Nov 25, 2024 06:38:07.844990015 CET	60122	53	192.168.2.7	1.1.1.1
Nov 25, 2024 06:38:07.981916904 CET	53	60122	1.1.1.1	192.168.2.7
Nov 25, 2024 06:38:40.816246033 CET	60346	53	192.168.2.7	1.1.1.1
Nov 25, 2024 06:38:40.952934027 CET	53	60346	1.1.1.1	192.168.2.7
Nov 25, 2024 06:38:40.953794956 CET	50614	53	192.168.2.7	1.1.1.1
Nov 25, 2024 06:38:41.090656996 CET	53	50614	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 25, 2024 06:37:11.030607939 CET	192.168.2.7	1.1.1.1	0x44e5	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:11.032500982 CET	192.168.2.7	1.1.1.1	0x687	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:11.172575951 CET	192.168.2.7	1.1.1.1	0xcc6e	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:11.173472881 CET	192.168.2.7	1.1.1.1	0xc72e	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:11.173883915 CET	192.168.2.7	1.1.1.1	0x74f4	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:11.226380110 CET	192.168.2.7	1.1.1.1	0x5d09	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:11.257998943 CET	192.168.2.7	1.1.1.1	0xc103	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:11.321054935 CET	192.168.2.7	1.1.1.1	0xd8f5	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 25, 2024 06:37:11.327245951 CET	192.168.2.7	1.1.1.1	0x166b	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 25, 2024 06:37:11.327485085 CET	192.168.2.7	1.1.1.1	0x6c83	Standard query (0)	youtube.com	28	IN (0x0001)	false
Nov 25, 2024 06:37:11.360584021 CET	192.168.2.7	1.1.1.1	0xfaf6	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:11.807085991 CET	192.168.2.7	1.1.1.1	0xaf2d	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:11.807404041 CET	192.168.2.7	1.1.1.1	0xb67f	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:11.809029102 CET	192.168.2.7	1.1.1.1	0x6d8b	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:11.946595907 CET	192.168.2.7	1.1.1.1	0xaf70	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Nov 25, 2024 06:37:11.947069883 CET	192.168.2.7	1.1.1.1	0x60c0	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 25, 2024 06:37:11.947530985 CET	192.168.2.7	1.1.1.1	0x7423	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 25, 2024 06:37:12.320723057 CET	192.168.2.7	1.1.1.1	0x60ff	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:12.393584013 CET	192.168.2.7	1.1.1.1	0xcd65	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:12.394273996 CET	192.168.2.7	1.1.1.1	0x84a	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:12.403043985 CET	192.168.2.7	1.1.1.1	0x2f67	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:12.474426031 CET	192.168.2.7	1.1.1.1	0x958	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 25, 2024 06:37:14.234082937 CET	192.168.2.7	1.1.1.1	0xaf08	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:14.662050009 CET	192.168.2.7	1.1.1.1	0xa9c4	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:14.801049948 CET	192.168.2.7	1.1.1.1	0x429b	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:15.042658091 CET	192.168.2.7	1.1.1.1	0x2500	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:15.085434914 CET	192.168.2.7	1.1.1.1	0xcdbd	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 25, 2024 06:37:15.200158119 CET	192.168.2.7	1.1.1.1	0xe6a6	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:15.341437101 CET	192.168.2.7	1.1.1.1	0x93bb	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 25, 2024 06:37:16.620699883 CET	192.168.2.7	1.1.1.1	0xaa93	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:18.436261892 CET	192.168.2.7	1.1.1.1	0xdcce	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:18.574421883 CET	192.168.2.7	1.1.1.1	0x8188	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 25, 2024 06:37:23.473699093 CET	192.168.2.7	1.1.1.1	0x6d7f	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:23.574853897 CET	192.168.2.7	1.1.1.1	0x907	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:23.619533062 CET	192.168.2.7	1.1.1.1	0xeaa3	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:23.712778091 CET	192.168.2.7	1.1.1.1	0x7894	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 25, 2024 06:37:23.757342100 CET	192.168.2.7	1.1.1.1	0x700a	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 25, 2024 06:37:29.077557087 CET	192.168.2.7	1.1.1.1	0xeedd	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:29.077905893 CET	192.168.2.7	1.1.1.1	0x3777	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:29.077905893 CET	192.168.2.7	1.1.1.1	0x80fb	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:29.603781939 CET	192.168.2.7	1.1.1.1	0x5842	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:29.603904963 CET	192.168.2.7	1.1.1.1	0xc1ac	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:29.604109049 CET	192.168.2.7	1.1.1.1	0x2ae9	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:29.741596937 CET	192.168.2.7	1.1.1.1	0x8bcb	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Nov 25, 2024 06:37:29.742556095 CET	192.168.2.7	1.1.1.1	0xfa3a	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Nov 25, 2024 06:37:29.881238937 CET	192.168.2.7	1.1.1.1	0xefa3	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:29.905213118 CET	192.168.2.7	1.1.1.1	0x3c67	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Nov 25, 2024 06:37:29.984292030 CET	192.168.2.7	1.1.1.1	0xac50	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:30.020514011 CET	192.168.2.7	1.1.1.1	0xd207	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:30.112781048 CET	192.168.2.7	1.1.1.1	0xbb75	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 25, 2024 06:37:30.122684956 CET	192.168.2.7	1.1.1.1	0xf3f3	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:30.161022902 CET	192.168.2.7	1.1.1.1	0xbc17	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Nov 25, 2024 06:37:30.261328936 CET	192.168.2.7	1.1.1.1	0x37ae	Standard query (0)	twitter.com	28	IN (0x0001)	false
Nov 25, 2024 06:37:38.234560966 CET	192.168.2.7	1.1.1.1	0xa8db	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 25, 2024 06:37:38.253796101 CET	192.168.2.7	1.1.1.1	0x68f3	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:38.254559994 CET	192.168.2.7	1.1.1.1	0x3e7b	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 25, 2024 06:37:38.269069910 CET	192.168.2.7	1.1.1.1	0x122f	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:38.391834021 CET	192.168.2.7	1.1.1.1	0xd089	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:38.407984018 CET	192.168.2.7	1.1.1.1	0xaea3	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:38.529443026 CET	192.168.2.7	1.1.1.1	0xab18	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Nov 25, 2024 06:37:38.549110889 CET	192.168.2.7	1.1.1.1	0x24dc	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Nov 25, 2024 06:37:59.583265066 CET	192.168.2.7	1.1.1.1	0x35f4	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 25, 2024 06:38:00.808140039 CET	192.168.2.7	1.1.1.1	0xe580	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:38:07.844990015 CET	192.168.2.7	1.1.1.1	0x8a7a	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 25, 2024 06:38:40.816246033 CET	192.168.2.7	1.1.1.1	0x5ec8	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:38:40.953794956 CET	192.168.2.7	1.1.1.1	0xfe48	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 25, 2024 06:37:11.168484926 CET	1.1.1.1	192.168.2.7	0x44e5	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 06:37:11.168484926 CET	1.1.1.1	192.168.2.7	0x44e5	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:11.168517113 CET	1.1.1.1	192.168.2.7	0xa798	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:11.169157982 CET	1.1.1.1	192.168.2.7	0x687	No error (0)	youtube.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:11.309309006 CET	1.1.1.1	192.168.2.7	0xcc6e	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:11.310271025 CET	1.1.1.1	192.168.2.7	0xc72e	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:11.310791969 CET	1.1.1.1	192.168.2.7	0x74f4	No error (0)	youtube.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:11.363748074 CET	1.1.1.1	192.168.2.7	0x5d09	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:11.390501976 CET	1.1.1.1	192.168.2.7	0x4500	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 06:37:11.390501976 CET	1.1.1.1	192.168.2.7	0x4500	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:11.394906998 CET	1.1.1.1	192.168.2.7	0xc103	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 06:37:11.394906998 CET	1.1.1.1	192.168.2.7	0xc103	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:11.458575964 CET	1.1.1.1	192.168.2.7	0xd8f5	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Nov 25, 2024 06:37:11.464442015 CET	1.1.1.1	192.168.2.7	0x6c83	No error (0)	youtube.com			28	IN (0x0001)	false
Nov 25, 2024 06:37:11.500121117 CET	1.1.1.1	192.168.2.7	0xfaf6	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 06:37:11.500121117 CET	1.1.1.1	192.168.2.7	0xfaf6	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 06:37:11.500121117 CET	1.1.1.1	192.168.2.7	0xfaf6	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:11.945008993 CET	1.1.1.1	192.168.2.7	0xb67f	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:11.945215940 CET	1.1.1.1	192.168.2.7	0xaf2d	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:11.946230888 CET	1.1.1.1	192.168.2.7	0x6d8b	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:12.457720995 CET	1.1.1.1	192.168.2.7	0x60ff	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:12.530514002 CET	1.1.1.1	192.168.2.7	0xcd65	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:12.531074047 CET	1.1.1.1	192.168.2.7	0x84a	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:12.531074047 CET	1.1.1.1	192.168.2.7	0x84a	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:12.539936066 CET	1.1.1.1	192.168.2.7	0x2f67	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 06:37:12.539936066 CET	1.1.1.1	192.168.2.7	0x2f67	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:12.612399101 CET	1.1.1.1	192.168.2.7	0x958	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Nov 25, 2024 06:37:14.442028046 CET	1.1.1.1	192.168.2.7	0xaf08	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 06:37:14.798881054 CET	1.1.1.1	192.168.2.7	0xa9c4	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:15.078701019 CET	1.1.1.1	192.168.2.7	0x429b	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:15.155680895 CET	1.1.1.1	192.168.2.7	0xa8bc	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 06:37:15.155680895 CET	1.1.1.1	192.168.2.7	0xa8bc	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:15.179339886 CET	1.1.1.1	192.168.2.7	0x2500	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 06:37:15.179339886 CET	1.1.1.1	192.168.2.7	0x2500	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:15.340574980 CET	1.1.1.1	192.168.2.7	0xe6a6	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:16.757658005 CET	1.1.1.1	192.168.2.7	0xaa93	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 06:37:16.757658005 CET	1.1.1.1	192.168.2.7	0xaa93	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 06:37:16.757658005 CET	1.1.1.1	192.168.2.7	0xaa93	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:18.573312998 CET	1.1.1.1	192.168.2.7	0xdcce	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:23.571438074 CET	1.1.1.1	192.168.2.7	0x154c	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:23.610466003 CET	1.1.1.1	192.168.2.7	0x6d7f	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:23.712033987 CET	1.1.1.1	192.168.2.7	0x907	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:23.756266117 CET	1.1.1.1	192.168.2.7	0xeaa3	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:27.846918106 CET	1.1.1.1	192.168.2.7	0x2269	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:29.214384079 CET	1.1.1.1	192.168.2.7	0xeedd	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 06:37:29.214384079 CET	1.1.1.1	192.168.2.7	0xeedd	No error (0)	star-mini.c10r.facebook.com		157.240.196.35	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:29.215034008 CET	1.1.1.1	192.168.2.7	0x3777	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 06:37:29.215034008 CET	1.1.1.1	192.168.2.7	0x3777	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:29.215034008 CET	1.1.1.1	192.168.2.7	0x3777	No error (0)	youtube-ui.l.google.com		172.217.19.174	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:29.215034008 CET	1.1.1.1	192.168.2.7	0x3777	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:29.215034008 CET	1.1.1.1	192.168.2.7	0x3777	No error (0)	youtube-ui.l.google.com		142.250.181.14	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:29.215034008 CET	1.1.1.1	192.168.2.7	0x3777	No error (0)	youtube-ui.l.google.com		142.250.181.46	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:29.215034008 CET	1.1.1.1	192.168.2.7	0x3777	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:29.215034008 CET	1.1.1.1	192.168.2.7	0x3777	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:29.215034008 CET	1.1.1.1	192.168.2.7	0x3777	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:29.215034008 CET	1.1.1.1	192.168.2.7	0x3777	No error (0)	youtube-ui.l.google.com		172.217.19.14	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:29.215034008 CET	1.1.1.1	192.168.2.7	0x3777	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:29.215363026 CET	1.1.1.1	192.168.2.7	0x80fb	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 06:37:29.215363026 CET	1.1.1.1	192.168.2.7	0x80fb	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:29.740746975 CET	1.1.1.1	192.168.2.7	0x2ae9	No error (0)	star-mini.c10r.facebook.com		157.240.196.35	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:29.741827011 CET	1.1.1.1	192.168.2.7	0xc1ac	No error (0)	youtube-ui.l.google.com		172.217.19.174	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:29.741827011 CET	1.1.1.1	192.168.2.7	0xc1ac	No error (0)	youtube-ui.l.google.com		142.250.181.46	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:29.741827011 CET	1.1.1.1	192.168.2.7	0xc1ac	No error (0)	youtube-ui.l.google.com		172.217.19.14	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:29.741827011 CET	1.1.1.1	192.168.2.7	0xc1ac	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:29.741827011 CET	1.1.1.1	192.168.2.7	0xc1ac	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:29.741827011 CET	1.1.1.1	192.168.2.7	0xc1ac	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:29.741827011 CET	1.1.1.1	192.168.2.7	0xc1ac	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:29.741827011 CET	1.1.1.1	192.168.2.7	0xc1ac	No error (0)	youtube-ui.l.google.com		142.250.181.14	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:29.741827011 CET	1.1.1.1	192.168.2.7	0xc1ac	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:29.741827011 CET	1.1.1.1	192.168.2.7	0xc1ac	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:29.880139112 CET	1.1.1.1	192.168.2.7	0xfa3a	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 25, 2024 06:37:29.880139112 CET	1.1.1.1	192.168.2.7	0xfa3a	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 25, 2024 06:37:29.880139112 CET	1.1.1.1	192.168.2.7	0xfa3a	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 25, 2024 06:37:29.880139112 CET	1.1.1.1	192.168.2.7	0xfa3a	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 25, 2024 06:37:29.902930021 CET	1.1.1.1	192.168.2.7	0x5842	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:29.983089924 CET	1.1.1.1	192.168.2.7	0x8bcb	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Nov 25, 2024 06:37:30.018855095 CET	1.1.1.1	192.168.2.7	0xefa3	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 06:37:30.018855095 CET	1.1.1.1	192.168.2.7	0xefa3	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:30.018855095 CET	1.1.1.1	192.168.2.7	0xefa3	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:30.018855095 CET	1.1.1.1	192.168.2.7	0xefa3	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:30.018855095 CET	1.1.1.1	192.168.2.7	0xefa3	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:30.111232042 CET	1.1.1.1	192.168.2.7	0x3c67	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Nov 25, 2024 06:37:30.121678114 CET	1.1.1.1	192.168.2.7	0xac50	No error (0)	twitter.com		104.244.42.193	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:30.121678114 CET	1.1.1.1	192.168.2.7	0xac50	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:30.121678114 CET	1.1.1.1	192.168.2.7	0xac50	No error (0)	twitter.com		104.244.42.129	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:30.121678114 CET	1.1.1.1	192.168.2.7	0xac50	No error (0)	twitter.com		104.244.42.1	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:30.160015106 CET	1.1.1.1	192.168.2.7	0xd207	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:30.160015106 CET	1.1.1.1	192.168.2.7	0xd207	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:30.160015106 CET	1.1.1.1	192.168.2.7	0xd207	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:30.160015106 CET	1.1.1.1	192.168.2.7	0xd207	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:30.260215998 CET	1.1.1.1	192.168.2.7	0xf3f3	No error (0)	twitter.com		104.244.42.1	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:30.260215998 CET	1.1.1.1	192.168.2.7	0xf3f3	No error (0)	twitter.com		104.244.42.193	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:30.260215998 CET	1.1.1.1	192.168.2.7	0xf3f3	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:30.260215998 CET	1.1.1.1	192.168.2.7	0xf3f3	No error (0)	twitter.com		104.244.42.129	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:38.390593052 CET	1.1.1.1	192.168.2.7	0x68f3	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:38.390593052 CET	1.1.1.1	192.168.2.7	0x68f3	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:38.390593052 CET	1.1.1.1	192.168.2.7	0x68f3	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:38.390593052 CET	1.1.1.1	192.168.2.7	0x68f3	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:38.406919956 CET	1.1.1.1	192.168.2.7	0x122f	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 06:37:38.406919956 CET	1.1.1.1	192.168.2.7	0x122f	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:38.528593063 CET	1.1.1.1	192.168.2.7	0xd089	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:38.528593063 CET	1.1.1.1	192.168.2.7	0xd089	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:38.528593063 CET	1.1.1.1	192.168.2.7	0xd089	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:38.528593063 CET	1.1.1.1	192.168.2.7	0xd089	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:38.545749903 CET	1.1.1.1	192.168.2.7	0xaea3	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:37:38.667258978 CET	1.1.1.1	192.168.2.7	0xab18	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 25, 2024 06:37:38.667258978 CET	1.1.1.1	192.168.2.7	0xab18	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 25, 2024 06:37:38.667258978 CET	1.1.1.1	192.168.2.7	0xab18	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 25, 2024 06:37:38.667258978 CET	1.1.1.1	192.168.2.7	0xab18	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 25, 2024 06:37:41.601902008 CET	1.1.1.1	192.168.2.7	0x8adc	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 06:37:41.601902008 CET	1.1.1.1	192.168.2.7	0x8adc	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 06:38:00.947474957 CET	1.1.1.1	192.168.2.7	0xe580	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 06:38:00.947474957 CET	1.1.1.1	192.168.2.7	0xe580	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:38:07.826634884 CET	1.1.1.1	192.168.2.7	0x4e39	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 25, 2024 06:38:40.952934027 CET	1.1.1.1	192.168.2.7	0x5ec8	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49706	34.107.221.82	80	7776	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 06:37:11.292140007 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 06:37:12.377309084 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 24 Nov 2024 08:19:57 GMT Age: 76635 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49715	34.107.221.82	80	7776	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 06:37:12.685234070 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 06:37:13.860961914 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 24 Nov 2024 08:39:17 GMT Age: 75476 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49718	34.107.221.82	80	7776	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 06:37:13.974055052 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 06:37:15.105412006 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 24 Nov 2024 08:19:57 GMT Age: 76637 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 06:37:23.435326099 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49742	34.107.221.82	80	7776	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 06:37:21.969830036 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 06:37:23.101938963 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 24 Nov 2024 08:39:17 GMT Age: 75485 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 06:37:27.647562981 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 06:37:27.972529888 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 24 Nov 2024 08:39:17 GMT Age: 75490 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 06:37:29.076464891 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 06:37:29.400502920 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 24 Nov 2024 08:39:17 GMT Age: 75492 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 06:37:29.946584940 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 06:37:30.271421909 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 24 Nov 2024 08:39:17 GMT Age: 75493 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 06:37:31.262991905 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 06:37:31.587527990 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 24 Nov 2024 08:39:17 GMT Age: 75494 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 06:37:39.823748112 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 06:37:40.147680998 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 24 Nov 2024 08:39:17 GMT Age: 75502 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 06:37:41.215651035 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 06:37:41.539469004 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 24 Nov 2024 08:39:17 GMT Age: 75504 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 06:37:51.544884920 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 06:38:01.134640932 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 06:38:01.458777905 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 24 Nov 2024 08:39:17 GMT Age: 75524 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 06:38:09.449193954 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 06:38:09.773006916 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 24 Nov 2024 08:39:17 GMT Age: 75532 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 06:38:10.796251059 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 06:38:11.120107889 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 24 Nov 2024 08:39:17 GMT Age: 75533 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 06:38:17.331609964 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 06:38:17.655970097 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 24 Nov 2024 08:39:17 GMT Age: 75540 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 06:38:27.675194025 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 06:38:37.804467916 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 06:38:42.605372906 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 06:38:42.929462910 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 24 Nov 2024 08:39:17 GMT Age: 75565 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 06:38:52.947189093 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 06:39:03.076050997 CET	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49745	34.107.221.82	80	7776	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 06:37:23.602720022 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 06:37:24.733535051 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 24 Nov 2024 08:19:57 GMT Age: 76647 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 06:37:27.707639933 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 06:37:28.031558037 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 24 Nov 2024 08:19:57 GMT Age: 76650 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 06:37:29.618932962 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 06:37:29.942497015 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 24 Nov 2024 08:19:57 GMT Age: 76652 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 06:37:30.933697939 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 06:37:31.258729935 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 24 Nov 2024 08:19:57 GMT Age: 76654 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 06:37:39.486434937 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 06:37:39.810652971 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 24 Nov 2024 08:19:57 GMT Age: 76662 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 06:37:40.888076067 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 06:37:41.211947918 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 24 Nov 2024 08:19:57 GMT Age: 76664 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 06:37:51.228212118 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 06:38:00.807857037 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 06:38:01.131634951 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 24 Nov 2024 08:19:57 GMT Age: 76683 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 06:38:09.121829033 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 06:38:09.445327044 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 24 Nov 2024 08:19:57 GMT Age: 76692 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 06:38:10.469929934 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 06:38:10.793241024 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 24 Nov 2024 08:19:57 GMT Age: 76693 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 06:38:17.001208067 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 06:38:17.324492931 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 24 Nov 2024 08:19:57 GMT Age: 76700 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 06:38:27.336704016 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 06:38:37.465758085 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 06:38:42.277570009 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 06:38:42.601093054 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 24 Nov 2024 08:19:57 GMT Age: 76725 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 06:38:52.608525991 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 06:39:02.737405062 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 06:39:12.861592054 CET	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	0
Start time:	00:37:02
Start date:	25/11/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xa00000
File size:	922'624 bytes
MD5 hash:	F8F6B3F05A3B3BFE1F5600AE9B33F059
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialFlusher, Description: Yara detected Credential Flusher, Source: 00000000.00000003.1296873839.0000000000F5F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialFlusher, Description: Yara detected Credential Flusher, Source: 00000000.00000003.1236545654.0000000000F64000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	00:37:02
Start date:	25/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0x220000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	00:37:02
Start date:	25/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	00:37:04
Start date:	25/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0x220000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	00:37:04
Start date:	25/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	00:37:04
Start date:	25/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0x220000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	00:37:05
Start date:	25/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	00:37:05
Start date:	25/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0x220000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	00:37:05
Start date:	25/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	00:37:05
Start date:	25/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0x220000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	00:37:05
Start date:	25/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	00:37:05
Start date:	25/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	00:37:05
Start date:	25/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	00:37:05
Start date:	25/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	21
Start time:	00:37:06
Start date:	25/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2220 -prefsLen 25302 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {343c6f86-1b5f-473e-9dba-35b770c7833f} 7776 "\\.\pipe\gecko-crash-server-pipe.7776" 1fd7576dd10 socket
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	23
Start time:	00:37:09
Start date:	25/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3016 -parentBuildID 20230927232528 -prefsHandle 3060 -prefMapHandle 2996 -prefsLen 26317 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2796a079-c3f2-485a-9277-415ee10c3b63} 7776 "\\.\pipe\gecko-crash-server-pipe.7776" 1fd05fc6e10 rdd
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	25
Start time:	00:37:14
Start date:	25/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5132 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5180 -prefMapHandle 5176 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {99b798a6-e00b-468f-8fbe-32fc4b2fef5c} 7776 "\\.\pipe\gecko-crash-server-pipe.7776" 1fd0f5fab10 utility
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.3%
Total number of Nodes:	1574
Total number of Limit Nodes:	55

Executed Functions

Function 00A042DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00A0430D

Part of subcall function 00A06B57: _wcslen.LIBCMT ref: 00A06B6A

GetCurrentProcess.KERNEL32(?,00A9CB64,00000000,?,?), ref: 00A04422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00A04429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00A04454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00A04466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00A04474
FreeLibrary.KERNEL32(00000000,?,?), ref: 00A0447B
GetSystemInfo.KERNEL32(?,?,?), ref: 00A044A0

Strings

GetNativeSystemInfo, xrefs: 00A04460
|O, xrefs: 00A436F8
kernel32.dll, xrefs: 00A0444F

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 8cd282573c20b1cb25f2662c8b1f91d790d9cdebe8de93b35e865463aaae15f2
Instruction ID: 0aa2a0d01a97b9c341f31f59668bd33e645e84415fdd03b614e67b8c30de02f4
Opcode Fuzzy Hash: 8cd282573c20b1cb25f2662c8b1f91d790d9cdebe8de93b35e865463aaae15f2
Instruction Fuzzy Hash: 9DA1C7B690B3C4FFCB91C7E9BC851957FA5BB66700B18489BD0839FA62D2314607DB21

Function 00A042A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00A050AA,?,?,00000000,00000000), ref: 00A042B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00A050AA,?,?,00000000,00000000), ref: 00A042C9
LoadResource.KERNEL32(?,00000000,?,?,00A050AA,?,?,00000000,00000000,?,?,?,?,?,?,00A04F20), ref: 00A435BE
SizeofResource.KERNEL32(?,00000000,?,?,00A050AA,?,?,00000000,00000000,?,?,?,?,?,?,00A04F20), ref: 00A435D3
LockResource.KERNEL32(00A050AA,?,?,00A050AA,?,?,00000000,00000000,?,?,?,?,?,?,00A04F20,?), ref: 00A435E6

Strings

SCRIPT, xrefs: 00A042BF

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: ed765d32bc0aea1134e4fddaa50086afb962de5f54753b80cf991f106787959d
Instruction ID: 56e3dcd90e2db2b343185272d30b45b7a82242fd7a44860966bff67439a31f8f
Opcode Fuzzy Hash: ed765d32bc0aea1134e4fddaa50086afb962de5f54753b80cf991f106787959d
Instruction Fuzzy Hash: A0117CB1300B04BFDB219BA5EC48FA77BB9FBC9B61F10816AB502D6290DF71D8018630

Function 00A42BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00A02B6B

Part of subcall function 00A03A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00AD1418,?,00A02E7F,?,?,?,00000000), ref: 00A03A78

Part of subcall function 00A09CB3: _wcslen.LIBCMT ref: 00A09CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00AC2224), ref: 00A42C10
ShellExecuteW.SHELL32(00000000,?,?,00AC2224), ref: 00A42C17

Strings

runas, xrefs: 00A42C0B

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 5955b0bbcfa2c4f5064367bfcd30b456dc27a4be359f8a431b505e946bbc1dc0
Instruction ID: 4addac14d7e714eb3e080a56ebbb206201f5d3d7acee7dc071272eb307f48769
Opcode Fuzzy Hash: 5955b0bbcfa2c4f5064367bfcd30b456dc27a4be359f8a431b505e946bbc1dc0
Instruction Fuzzy Hash: 661106726083496ACB04FFA0FA56FBE77A8AB91350F44082EF142460E3CF20894AC713

Function 00A6D4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00A6D501
Process32FirstW.KERNEL32(00000000,?), ref: 00A6D50F
Process32NextW.KERNEL32(00000000,?), ref: 00A6D52F
CloseHandle.KERNELBASE(00000000), ref: 00A6D5DC

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 28f2203f660066931b1cd981e7e50da21a87ddac7c24b14eb775101ec4640758
Instruction ID: 1335366f8ca703f128c0beba125ffc1aaea47c3eb4d5ec1cd84c5f273508bdb4
Opcode Fuzzy Hash: 28f2203f660066931b1cd981e7e50da21a87ddac7c24b14eb775101ec4640758
Instruction Fuzzy Hash: F531D6716083049FD300EF54D981AAFBBF8EF99394F10052DF586871A2EB719949CB93

Function 00A6DBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,00A45222), ref: 00A6DBCE
GetFileAttributesW.KERNELBASE(?), ref: 00A6DBDD
FindFirstFileW.KERNEL32(?,?), ref: 00A6DBEE
FindClose.KERNEL32(00000000), ref: 00A6DBFA

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 603aa57ad865e6e841f1c8c53b61d2cc40d70e5a85308f10d7ad3b7564e6e096
Instruction ID: 65f20fd1c38f7ddf6431b170db26d7884c4988c7a23b32a6f09825ed7394703e
Opcode Fuzzy Hash: 603aa57ad865e6e841f1c8c53b61d2cc40d70e5a85308f10d7ad3b7564e6e096
Instruction Fuzzy Hash: C5F0A030A10D1867C320EBB8AC0D8AA377C9E01374B504703F836C20E0EFB1599686D9

Function 00A24CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00A328E9,?,00A24CBE,00A328E9,00AC88B8,0000000C,00A24E15,00A328E9,00000002,00000000,?,00A328E9), ref: 00A24D09
TerminateProcess.KERNEL32(00000000,?,00A24CBE,00A328E9,00AC88B8,0000000C,00A24E15,00A328E9,00000002,00000000,?,00A328E9), ref: 00A24D10
ExitProcess.KERNEL32 ref: 00A24D22

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 126e1dd148babfd75b9267349d2a82e3e74085b8b53b6f2afc1a612bcf5ce0b5
Instruction ID: e9d1ef9cc7db0d978f3f9defd79c9875ef7eac0cdb6d452a727b7428d7a368d2
Opcode Fuzzy Hash: 126e1dd148babfd75b9267349d2a82e3e74085b8b53b6f2afc1a612bcf5ce0b5
Instruction Fuzzy Hash: 4DE0B631104558AFCF11AF98EE0AA597B69EB45B91F104025FC098B122CB35DD42CA90

Function 00A8AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 00A8B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00A8B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00A8B1D4
_wcslen.LIBCMT ref: 00A8B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00A8B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00A8B236
_wcslen.LIBCMT ref: 00A8B332

Part of subcall function 00A705A7: GetStdHandle.KERNEL32(000000F6), ref: 00A705C6

_wcslen.LIBCMT ref: 00A8B34B
_wcslen.LIBCMT ref: 00A8B366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00A8B3B6
GetLastError.KERNEL32(00000000), ref: 00A8B407
CloseHandle.KERNEL32(?), ref: 00A8B439
CloseHandle.KERNEL32(00000000), ref: 00A8B44A
CloseHandle.KERNEL32(00000000), ref: 00A8B45C
CloseHandle.KERNEL32(00000000), ref: 00A8B46E
CloseHandle.KERNEL32(?), ref: 00A8B4E3

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: a2492a4080d6aa20eff7072356a2759617c4ddd25dd5830c89a7bf5ed9f97b53
Instruction ID: 9c594a20fd0c0362a1a5eea7478b4a0fd5183cc532816647ac8d98493386ab99
Opcode Fuzzy Hash: a2492a4080d6aa20eff7072356a2759617c4ddd25dd5830c89a7bf5ed9f97b53
Instruction Fuzzy Hash: EEF1AE316183409FCB14EF24D991B6FBBE1AF85314F14855DF49A9B2A2DB31EC41CB62

Function 00A0D730 Relevance: 21.6, APIs: 14, Instructions: 616windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00A0D807
timeGetTime.WINMM ref: 00A0DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A0DB28
TranslateMessage.USER32(?), ref: 00A0DB7B
DispatchMessageW.USER32(?), ref: 00A0DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A0DB9F
Sleep.KERNELBASE(0000000A), ref: 00A0DBB1

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 72845e83e0be10d26830082256f8c447418b6f424b45182e2d99d4db9f893a3b
Instruction ID: 1bf6ef4873c5ae23f5a9e190bb3ad8d046ccdd1e3d82c6a06966152c7034f800
Opcode Fuzzy Hash: 72845e83e0be10d26830082256f8c447418b6f424b45182e2d99d4db9f893a3b
Instruction Fuzzy Hash: BC42F131608345EFD728CF64D844BAAB7F0BF46354F148A1EE956872D1D770E889CB92

Function 00A02CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00A02D07
RegisterClassExW.USER32(00000030), ref: 00A02D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00A02D42
InitCommonControlsEx.COMCTL32(?), ref: 00A02D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00A02D6F
LoadIconW.USER32(000000A9), ref: 00A02D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00A02D94

Strings

+, xrefs: 00A02CF0
0, xrefs: 00A02CE9
TaskbarCreated, xrefs: 00A02D37
AutoIt v3 GUI, xrefs: 00A02D23

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: eb97f9ceaa05f5f9a94a19c81fc10b12ce4a3a033591be1f9b5dc862c129dd96
Instruction ID: 63d1dabe4cbacc2aa871bd7113aa53a19cb545fc6d5e817957ca7e7c7c81689d
Opcode Fuzzy Hash: eb97f9ceaa05f5f9a94a19c81fc10b12ce4a3a033591be1f9b5dc862c129dd96
Instruction Fuzzy Hash: 4221C3B5A02218AFDB00DFE4E859BDDBBB8FB08714F00411BF512A62A0DBB14546CF91

Function 00A4065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00A4039A: CreateFileW.KERNELBASE(00000000,00000000,?,00A40704,?,?,00000000,?,00A40704,00000000,0000000C), ref: 00A403B7

GetLastError.KERNEL32 ref: 00A4076F
__dosmaperr.LIBCMT ref: 00A40776
GetFileType.KERNELBASE(00000000), ref: 00A40782
GetLastError.KERNEL32 ref: 00A4078C
__dosmaperr.LIBCMT ref: 00A40795
CloseHandle.KERNEL32(00000000), ref: 00A407B5
CloseHandle.KERNEL32(?), ref: 00A408FF
GetLastError.KERNEL32 ref: 00A40931
__dosmaperr.LIBCMT ref: 00A40938

Strings

H, xrefs: 00A408BD

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 69d9b53fb7ba589f5b0887b657d17be500d55ab258608d5fddc8ae536f6ef5fe
Instruction ID: 4dfd296709553267e007aca3668e0f0c41b9e221fe0ada27c743bd018043e6e0
Opcode Fuzzy Hash: 69d9b53fb7ba589f5b0887b657d17be500d55ab258608d5fddc8ae536f6ef5fe
Instruction Fuzzy Hash: 33A1273AA005048FDF19EF78D951FAE7BB0EB86320F24015AF9119F292DB359813DB91

Function 00A0344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00A03A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00AD1418,?,00A02E7F,?,?,?,00000000), ref: 00A03A78

Part of subcall function 00A03357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00A03379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00A0356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00A4318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00A431CE
RegCloseKey.ADVAPI32(?), ref: 00A43210
_wcslen.LIBCMT ref: 00A43277
_wcslen.LIBCMT ref: 00A43286

Strings

Include, xrefs: 00A43184, 00A431C5
\, xrefs: 00A4328C
\Include\, xrefs: 00A03527
Software\AutoIt v3\AutoIt, xrefs: 00A03560

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 19fc7f79b8e439dd7c26e82d4a8e883d3a3fa5b2a82cef8c16793766d92a5734
Instruction ID: f6b34dd93939e3c71208086e2bc97ac99a7ae29da238563778fa9b8d205908bc
Opcode Fuzzy Hash: 19fc7f79b8e439dd7c26e82d4a8e883d3a3fa5b2a82cef8c16793766d92a5734
Instruction Fuzzy Hash: 2971D6715053049FD704EFA9ED81AABB7F8FFA4750F40052EF5468B1A0EB709A49CB62

Function 00A02B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00A02B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00A02B9D
LoadIconW.USER32(00000063), ref: 00A02BB3
LoadIconW.USER32(000000A4), ref: 00A02BC5
LoadIconW.USER32(000000A2), ref: 00A02BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00A02BEF
RegisterClassExW.USER32(?), ref: 00A02C40

Part of subcall function 00A02CD4: GetSysColorBrush.USER32(0000000F), ref: 00A02D07
Part of subcall function 00A02CD4: RegisterClassExW.USER32(00000030), ref: 00A02D31
Part of subcall function 00A02CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00A02D42
Part of subcall function 00A02CD4: InitCommonControlsEx.COMCTL32(?), ref: 00A02D5F
Part of subcall function 00A02CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00A02D6F
Part of subcall function 00A02CD4: LoadIconW.USER32(000000A9), ref: 00A02D85
Part of subcall function 00A02CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00A02D94

Strings

#, xrefs: 00A02C16
0, xrefs: 00A02C0F
AutoIt v3, xrefs: 00A02C2F

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 86c6fd07524931a7cc54b200b50b4c9b637c93e2a63200a91db9c9a08a33ffbd
Instruction ID: 66808110944748f7b6b82e81369c6ca6b82059e3427bedd3c6daf9dcd245a784
Opcode Fuzzy Hash: 86c6fd07524931a7cc54b200b50b4c9b637c93e2a63200a91db9c9a08a33ffbd
Instruction Fuzzy Hash: 03211875E02318BBDB50DFE5EC59AA97FB4FB48B54F40011BE506AA6A0DBB10542CF90

Function 00A03170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00A0316A,?,?), ref: 00A031D8
KillTimer.USER32(?,00000001,?,?,?,?,?,00A0316A,?,?), ref: 00A03204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00A03227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00A0316A,?,?), ref: 00A03232
CreatePopupMenu.USER32 ref: 00A03246
PostQuitMessage.USER32(00000000), ref: 00A03267

Strings

TaskbarCreated, xrefs: 00A0322D

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 3a240a5c0b59ee208f535c418185f6890f190740ebf7cb77084196906678bc7f
Instruction ID: fd01530455baaebe9f795d006da803d08305b7b1f293689b2508f65e75cfddf2
Opcode Fuzzy Hash: 3a240a5c0b59ee208f535c418185f6890f190740ebf7cb77084196906678bc7f
Instruction Fuzzy Hash: 4341193A340208BBDF149BF8BD69BB93B6DEB5D350F040217F503862E1DB618A419761

Function 00A01410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00A01459
CoUninitialize.COMBASE ref: 00A014F8
UnregisterHotKey.USER32(?), ref: 00A016DD
DestroyWindow.USER32(?), ref: 00A424B9
FreeLibrary.KERNEL32(?), ref: 00A4251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00A4254B

Strings

close all, xrefs: 00A01454

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: ea484fb5ab5b1f575dad45fc3428ec3745933806288462d3b841dfb7f461095c
Instruction ID: b828d68ff5682bff27a73075514f4e06f8ca88394151b018a780492faf5370f8
Opcode Fuzzy Hash: ea484fb5ab5b1f575dad45fc3428ec3745933806288462d3b841dfb7f461095c
Instruction Fuzzy Hash: 04D1AD35701212CFCB19EF14D995BA9F7A0BF44310F5582ADF44A6B2A2DB31AC12CF91

Function 00A02C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00A02C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00A02CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00A01CAD,?), ref: 00A02CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00A01CAD,?), ref: 00A02CCF

Strings

edit, xrefs: 00A02CAC
AutoIt v3, xrefs: 00A02C89, 00A02C8E, 00A02C8F

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: a578df43ee5a7b468df13870cb5dfae2e213d66e7748eeaa3f5a0c2968e53501
Instruction ID: 8956243da50682672bda2516b448a0ba84e2d289232c7beb0ce66f754cdb3823
Opcode Fuzzy Hash: a578df43ee5a7b468df13870cb5dfae2e213d66e7748eeaa3f5a0c2968e53501
Instruction Fuzzy Hash: C4F0DA796412907BEB719797AC0CEB73FBDD7C6F60B00005BF905AA5A0D6611852DAB0

Function 00A03B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00A03B0F,SwapMouseButtons,00000004,?), ref: 00A03B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00A03B0F,SwapMouseButtons,00000004,?), ref: 00A03B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00A03B0F,SwapMouseButtons,00000004,?), ref: 00A03B83

Strings

Control Panel\Mouse, xrefs: 00A03B3E

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: ba0cd34bb398f5cc06e916466c6fa855d66f601926580bcb18415a859323f586
Instruction ID: 871ab383ea39851247695e35cf4392e119709e1d1bd33380329126ccbd5af492
Opcode Fuzzy Hash: ba0cd34bb398f5cc06e916466c6fa855d66f601926580bcb18415a859323f586
Instruction Fuzzy Hash: 1F112AB6610208FFDF20CFA5EC85AAEBBBCEF05758B10445AA806D7150E6719E459760

Function 00A03923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00A433A2

Part of subcall function 00A06B57: _wcslen.LIBCMT ref: 00A06B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00A03A04

Strings

Line: , xrefs: 00A433EB

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: e38a4a8da0844889836e2fc61b659ec82b6b68e5113931de4a39a09c464f1f36
Instruction ID: f8fe95aae5edcb403aece39de2d8f1f3d565c5d7bac609c958296d746e602f4d
Opcode Fuzzy Hash: e38a4a8da0844889836e2fc61b659ec82b6b68e5113931de4a39a09c464f1f36
Instruction Fuzzy Hash: 6931E272508308ABCB20EB64EC45BEBB3ECAB40314F00492BF59A861D1DB709649C7C2

Function 00A1FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00A20668

Part of subcall function 00A232A4: RaiseException.KERNEL32(?,?,?,00A2068A,?,00AD1444,?,?,?,?,?,?,00A2068A,00A01129,00AC8738,00A01129), ref: 00A23304

__CxxThrowException@8.LIBVCRUNTIME ref: 00A20685

Strings

Unknown exception, xrefs: 00A20692

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 4f3d635976cb7d1786940f53d8bf24d13d4e85e0ce13f72ae62115ca09284cb2
Instruction ID: 367688f4346185c3cf79a5205a466dc388effbb69bf0764e103ce6940c60ddbb
Opcode Fuzzy Hash: 4f3d635976cb7d1786940f53d8bf24d13d4e85e0ce13f72ae62115ca09284cb2
Instruction Fuzzy Hash: C5F0C23490021DBBCF04B7ACF946DEE7B6C6E00354B604535B824D6593EF75DA65C6C0

Function 00A010F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00A01BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00A01BF4
Part of subcall function 00A01BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00A01BFC
Part of subcall function 00A01BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00A01C07
Part of subcall function 00A01BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00A01C12
Part of subcall function 00A01BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00A01C1A
Part of subcall function 00A01BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00A01C22

Part of subcall function 00A01B4A: RegisterWindowMessageW.USER32(00000004,?,00A012C4), ref: 00A01BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00A0136A
OleInitialize.OLE32 ref: 00A01388
CloseHandle.KERNEL32(00000000,00000000), ref: 00A424AB

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 8fa47585e86ba49f98233c5e4d3a14d7d8f574c3d090f2f74795a566ffff9cc2
Instruction ID: c87d053c80840732456209aabc0b01ae1909ea73c51b31732c3577f3c8af908a
Opcode Fuzzy Hash: 8fa47585e86ba49f98233c5e4d3a14d7d8f574c3d090f2f74795a566ffff9cc2
Instruction Fuzzy Hash: C0718BB4A12304AFC784EFF9BA456993BE1FB89354754826BD41BC73A2EB384442CF51

Function 00A6C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A03923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00A03A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00A6C259
KillTimer.USER32(?,00000001,?,?), ref: 00A6C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00A6C270

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 0bd6369bcaa68d0f2f1a3f17f33334f6e8940371c1eafa8bb69316192e8ae4b0
Instruction ID: d63afa22550d45b5d86e4fc41deaf59edba9e585cc9dfd2e61bdfc22742088e2
Opcode Fuzzy Hash: 0bd6369bcaa68d0f2f1a3f17f33334f6e8940371c1eafa8bb69316192e8ae4b0
Instruction Fuzzy Hash: 7331C370A04344AFEB22DFB488A5BE7BBFC9F06314F00049AD6EA97241C7745A85CB51

Function 00A386AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,00A385CC,?,00AC8CC8,0000000C), ref: 00A38704
GetLastError.KERNEL32(?,00A385CC,?,00AC8CC8,0000000C), ref: 00A3870E
__dosmaperr.LIBCMT ref: 00A38739

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 2434f71c894c25b0831c346bf7a39889eaeaf0552f31f72b64b77810e43bbe06
Instruction ID: d003ac3d34d1d1b2258ec764d9119dcffc71e57fd258b6187af31ce948dab4df
Opcode Fuzzy Hash: 2434f71c894c25b0831c346bf7a39889eaeaf0552f31f72b64b77810e43bbe06
Instruction Fuzzy Hash: B5014E32A0572017D634A378AA47B7E77594B82774F39011AF8158F1D2DFA8CC819150

Function 00A0DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 00A0DB7B
DispatchMessageW.USER32(?), ref: 00A0DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A0DB9F
Sleep.KERNELBASE(0000000A), ref: 00A0DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00A51CC9

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: efc1006eb2c205f07141f35f7cc43fdeef9c856ff20856cb444c778d058ccfdc
Instruction ID: cc4cd7a467ef15d463a3680325714ec18b1c711850a6e9849b93d1ba902e0e30
Opcode Fuzzy Hash: efc1006eb2c205f07141f35f7cc43fdeef9c856ff20856cb444c778d058ccfdc
Instruction Fuzzy Hash: DCF0FE316443849BE730DBE09C89FEA73ADEB85711F504A1AE65A970D0DB309489DB25

Function 00A11310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00A117F6

Strings

CALL, xrefs: 00A117C6

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 531d08421f9f49ab7778f0e53cf62c034a40e8fbead4acdce04ca54826b9f485
Instruction ID: 443232628dff59a4adad29b273aafec6707e8138955d8da7baa7df5cf4d2638b
Opcode Fuzzy Hash: 531d08421f9f49ab7778f0e53cf62c034a40e8fbead4acdce04ca54826b9f485
Instruction Fuzzy Hash: C5228C706083419FC714DF14C580BAABBF2BF85314F64895DF9968B3A1D735E885CB92

Function 00A02DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00A42C8C

Part of subcall function 00A03AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A03A97,?,?,00A02E7F,?,?,?,00000000), ref: 00A03AC2

Part of subcall function 00A02DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00A02DC4

Strings

X, xrefs: 00A42C5A

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: afa868059812207867841be80b9a3683d9832070ee2b0675c9a4e0e5940156d6
Instruction ID: ffb88907bf82efbd0f65d6fc680176a835dc291e998e24cdf0ef4dd8e868a1ab
Opcode Fuzzy Hash: afa868059812207867841be80b9a3683d9832070ee2b0675c9a4e0e5940156d6
Instruction Fuzzy Hash: 7621A571A0025C9FCF01EF94D949BEE7BFCAF49314F00405AE405AB281DBB45A898F61

Function 00A03837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00A03908

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 82df8420eac3355da1fd49e73e1b164ec6f5a86042d14b18b3e59456badafd7d
Instruction ID: 2b04cc4bab64a189971fda547cc30ab93150df857524d6116e327c4227e83765
Opcode Fuzzy Hash: 82df8420eac3355da1fd49e73e1b164ec6f5a86042d14b18b3e59456badafd7d
Instruction Fuzzy Hash: C931C3756057059FD760DF64E884797BBF8FB49308F00096EF59A87280E771AA48CB52

Function 00A1F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00A1F661

Part of subcall function 00A0D730: GetInputState.USER32 ref: 00A0D807

Sleep.KERNEL32(00000000), ref: 00A5F2DE

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: f8c219f56f3e970220d4c5c5c87df302f6230ef125a122ccd1c1a8ef60cabe41
Instruction ID: afb730434a9b242ab5946043b36dab6f9045a8c8aa6547cc0b1660a18baa7af7
Opcode Fuzzy Hash: f8c219f56f3e970220d4c5c5c87df302f6230ef125a122ccd1c1a8ef60cabe41
Instruction Fuzzy Hash: 57F082312406059FD310EFA5E945B5AB7E4FF49761F00006AE85EC73A0DB70BC00CB90

Function 00A0B710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00A0BB4E

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: dc738d7f24684fc4de6dba62ccb773bbea87c36a32ed38d739fa940eab318ef3
Instruction ID: dc9bb8fdad118009101db8e4f8cef920027d5073e1264be89f394108f4b68412
Opcode Fuzzy Hash: dc738d7f24684fc4de6dba62ccb773bbea87c36a32ed38d739fa940eab318ef3
Instruction Fuzzy Hash: AB32AB34A00209AFDB24CF54DA94FBEB7B5FF44350F14805AED16AB2A1C774AD85CBA1

Function 00A0ACEB Relevance: 1.6, APIs: 1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f7d24a86c0b8de758805ada93442e2d60283b14e7d9400de8a933cdd94c8fdd
Instruction ID: 6dea63f5fcfbe1bfdae3acc96d3aaeabc849c585a78dd538dbdb0850ead3df57
Opcode Fuzzy Hash: 2f7d24a86c0b8de758805ada93442e2d60283b14e7d9400de8a933cdd94c8fdd
Instruction Fuzzy Hash: F931F6762003088FCB359F18E455B39B3B1AFA1753F24483DE5895A9D2C739AC81DB53

Function 00A04ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A04E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00A04EDD,?,00AD1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A04E9C
Part of subcall function 00A04E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00A04EAE
Part of subcall function 00A04E90: FreeLibrary.KERNEL32(00000000,?,?,00A04EDD,?,00AD1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A04EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00AD1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A04EFD

Part of subcall function 00A04E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00A43CDE,?,00AD1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A04E62
Part of subcall function 00A04E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00A04E74
Part of subcall function 00A04E59: FreeLibrary.KERNEL32(00000000,?,?,00A43CDE,?,00AD1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A04E87

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 6dbbd94a9f81de633b3a1073c944fd0fc8d4d2eaaecc9b27d007d07c18ed3b5b
Instruction ID: 51af687baab1a4e265d43a19a9ccde6316dee1904ea769521e1c3d6f09c06a2e
Opcode Fuzzy Hash: 6dbbd94a9f81de633b3a1073c944fd0fc8d4d2eaaecc9b27d007d07c18ed3b5b
Instruction Fuzzy Hash: 3D11E7B261020AABDF14FF74EE02FED77A5BF44B11F10842DF642A61C1DEB09A459B50

Function 00A38402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00A38440

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 6067391b432d3a65a3503174865d37e02bb296c47430cdffa929088eed8ed083
Instruction ID: 8caa7f04de6f9bca9a4e606dd1f22b824634d11c0e2dbac7f9453d4c0d02c4e3
Opcode Fuzzy Hash: 6067391b432d3a65a3503174865d37e02bb296c47430cdffa929088eed8ed083
Instruction Fuzzy Hash: 1311187590420AAFCF15DF58E94199A7BF5EF48314F104059F809AB312DB31DA11CBA5

Function 00A35000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00A34C7D: RtlAllocateHeap.NTDLL(00000008,00A01129,00000000,?,00A32E29,00000001,00000364,?,?,?,00A2F2DE,00A33863,00AD1444,?,00A1FDF5,?), ref: 00A34CBE

_free.LIBCMT ref: 00A3506C

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: b2c24828e38c2ed506c9e865214fb86f48b376f2cf44834c5af2dc373c3923db
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: C80126726047046FE3258F69D881A5AFBE8FB8A370F25052DF18483280EA31A905C7B4

Function 00A2E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 9c3f92c0cf512e1e242c298e024df341261f17db75382bc530039d325ca09794
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: D4F0F432511A309AD6317B6DBE05B5A33A89F52331F100735F420921D2DB78E84186A5

Function 00A34C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00A01129,00000000,?,00A32E29,00000001,00000364,?,?,?,00A2F2DE,00A33863,00AD1444,?,00A1FDF5,?), ref: 00A34CBE

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5b3aa29fae8fe67d7b2279643040e8ba6611307cb3af66efa0a6ca550fd9b0c6
Instruction ID: 7d8ede30a5df55f3ae94b2d896cce3c0afe41a6f439cba7269bd02396d5b5e7c
Opcode Fuzzy Hash: 5b3aa29fae8fe67d7b2279643040e8ba6611307cb3af66efa0a6ca550fd9b0c6
Instruction Fuzzy Hash: 53F0E93160773467DB215F66AD05B5A3798FF497B0F155122F815AA191CE70FC0246E0

Function 00A33820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00AD1444,?,00A1FDF5,?,?,00A0A976,00000010,00AD1440,00A013FC,?,00A013C6,?,00A01129), ref: 00A33852

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: cd0c2e17f553a931beaea1b13148318f31d99ff627ab20c1806e71635e7b3b5f
Instruction ID: d37f692ec18d1e0c89c1b403ea44a783e591a11daedd38ab7867de807c1cf630
Opcode Fuzzy Hash: cd0c2e17f553a931beaea1b13148318f31d99ff627ab20c1806e71635e7b3b5f
Instruction Fuzzy Hash: 2BE0E53310A234A6EE212BBBAD01B9A3758AF427B0F150131BC05964A0CB10DD0282E4

Function 00A04F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00AD1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A04F6D

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: bcd698012414aab0a16743f9e20448beabcbf941588a844c61eaea7e708b78df
Instruction ID: 30e5c6b6026c9c4e361b247a51ccda9b7bdc998689cf44964cfe998392076551
Opcode Fuzzy Hash: bcd698012414aab0a16743f9e20448beabcbf941588a844c61eaea7e708b78df
Instruction Fuzzy Hash: 19F015B1505756CFDB349F64E590822BBF4BF187293208A7EE3EA82661CB319884DB10

Function 00A92A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00A92A66

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 06af40955b21c9d79bca324f5748dcafc30626cffd1c51e867fa414b5640c1f1
Instruction ID: 5742a2ea5337e2ad3c3cfc3f8a09eb64738c83dcf9b9fcc8c00db6543f1cd32c
Opcode Fuzzy Hash: 06af40955b21c9d79bca324f5748dcafc30626cffd1c51e867fa414b5640c1f1
Instruction Fuzzy Hash: A7E04F77354116BACB14EB30DC809FA73ECEF643D57104536AC1AC2500DB30999687A0

Function 00A030F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 00A0314E

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 8030a9e13c90cdb1391101e6ada44d34f8de96120fc72302482f7f9c95506d11
Instruction ID: d39509ee77e71bd884e84eaca8c56dd39f8038d8bbc0b0f344748ca9b425c1f6
Opcode Fuzzy Hash: 8030a9e13c90cdb1391101e6ada44d34f8de96120fc72302482f7f9c95506d11
Instruction Fuzzy Hash: C5F0A770A00318AFEB92DB64EC497D57BFCA701708F0000E6A5499A181DB705789CF41

Function 00A02DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00A02DC4

Part of subcall function 00A06B57: _wcslen.LIBCMT ref: 00A06B6A

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 5d703ea8bf90543facfa8116502e7f305ad687cd8a6f8e6587797f27bb9d3e21
Instruction ID: 6566185803e67556612a276c8b51820e0020f7912491c16ce22cd429194f0c0b
Opcode Fuzzy Hash: 5d703ea8bf90543facfa8116502e7f305ad687cd8a6f8e6587797f27bb9d3e21
Instruction Fuzzy Hash: 93E0CD76A001245BC710E7989C05FDA77DDDFC8794F040072FD09D7248DD60AD858550

Function 00A02B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00A03837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00A03908

Part of subcall function 00A0D730: GetInputState.USER32 ref: 00A0D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00A02B6B

Part of subcall function 00A030F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00A0314E

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: f79668663c83600b876434a870513adbcc10b4a3d28eed80dd090c4bf4f70a8b
Instruction ID: 281d8908d99a624cb637db702ff15ba656ad4474175c1c60e6a16643bf189cc0
Opcode Fuzzy Hash: f79668663c83600b876434a870513adbcc10b4a3d28eed80dd090c4bf4f70a8b
Instruction Fuzzy Hash: 05E086A370425C17CA04FBB4BA5657EB75D9BD1351F40597FF143472E3CE24454A4352

Function 00A4039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00A40704,?,?,00000000,?,00A40704,00000000,0000000C), ref: 00A403B7

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 0d4687b2d4b67b0e94d824b2ab355ba9286de293a4fb9186fba886160762f728
Instruction ID: 03c36797434889da4b155c260a1187f76be99695321f7e6a61d8c5ae7b4b0695
Opcode Fuzzy Hash: 0d4687b2d4b67b0e94d824b2ab355ba9286de293a4fb9186fba886160762f728
Instruction Fuzzy Hash: 78D06C3214010DBBDF028F84DD06EDA3BAAFB48714F114100BE1856020C732E822AB94

Function 00A01CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00A01CBC

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 0de6675b339ad696392807a2094aefe15ab961f5d46b6328003357881d2308f0
Instruction ID: 59097b5840b3358e49b4d7c9daea18973e2846f5b55eaa61ad691f6ae073eab7
Opcode Fuzzy Hash: 0de6675b339ad696392807a2094aefe15ab961f5d46b6328003357881d2308f0
Instruction Fuzzy Hash: 2AC092363C1304AFF214CBC4BC4EF107764A358B14F448003F60AA95E3C7A22822EB50

Non-executed Functions

Function 00A99576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00A19BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A19BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00A9961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00A9965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00A9969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00A996C9
SendMessageW.USER32 ref: 00A996F2
GetKeyState.USER32(00000011), ref: 00A9978B
GetKeyState.USER32(00000009), ref: 00A99798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00A997AE
GetKeyState.USER32(00000010), ref: 00A997B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00A997E9
SendMessageW.USER32 ref: 00A99810
SendMessageW.USER32(?,00001030,?,00A97E95), ref: 00A99918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00A9992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00A99941
SetCapture.USER32(?), ref: 00A9994A
ClientToScreen.USER32(?,?), ref: 00A999AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00A999BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00A999D6
ReleaseCapture.USER32 ref: 00A999E1
GetCursorPos.USER32(?), ref: 00A99A19
ScreenToClient.USER32(?,?), ref: 00A99A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00A99A80
SendMessageW.USER32 ref: 00A99AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00A99AEB
SendMessageW.USER32 ref: 00A99B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00A99B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00A99B4A
GetCursorPos.USER32(?), ref: 00A99B68
ScreenToClient.USER32(?,?), ref: 00A99B75
GetParent.USER32(?), ref: 00A99B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00A99BFA
SendMessageW.USER32 ref: 00A99C2B
ClientToScreen.USER32(?,?), ref: 00A99C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00A99CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00A99CDE
SendMessageW.USER32 ref: 00A99D01
ClientToScreen.USER32(?,?), ref: 00A99D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00A99D82

Part of subcall function 00A19944: GetWindowLongW.USER32(?,000000EB), ref: 00A19952

GetWindowLongW.USER32(?,000000F0), ref: 00A99E05

Strings

@GUI_DRAGID, xrefs: 00A9997D
F, xrefs: 00A99D07

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: e91c13b753cb77cdbd5f56554bdfaf4dcf149e3d6b7975a7be2e34d1a199da97
Instruction ID: 3796936e9d7cf018c011c0c15892c0b46a120e98897f48e4c6c46c06b9d3001e
Opcode Fuzzy Hash: e91c13b753cb77cdbd5f56554bdfaf4dcf149e3d6b7975a7be2e34d1a199da97
Instruction Fuzzy Hash: 91427C35304241BFDB24CF68CD94AABBBE5FF49720F14061EF699872A1DB31A891CB51

Function 00A94873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00A948F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00A94908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00A94927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00A9494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00A9495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00A9497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00A949AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00A949D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00A94A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00A94A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00A94A7E
IsMenu.USER32(?), ref: 00A94A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00A94AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00A94B20
GetWindowLongW.USER32(?,000000F0), ref: 00A94B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00A94BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00A94C82
wsprintfW.USER32 ref: 00A94CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00A94CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00A94CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00A94D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00A94D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00A94D5A

Strings

%d/%02d/%02d, xrefs: 00A94CA8

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 077aa13f170ccbfb2490aa7e90c6cb2453e0fe8fe3f10e3209f6c3465d75d543
Instruction ID: bea6ee4040a9b7e767055bba1ea168c7e1979756aa8fd93c906e64e85412a857
Opcode Fuzzy Hash: 077aa13f170ccbfb2490aa7e90c6cb2453e0fe8fe3f10e3209f6c3465d75d543
Instruction Fuzzy Hash: 7E12CE71700255ABEF248F68CC49FAE7BF8AF49710F14412AF516EB2E1DB789942CB50

Function 00A1F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00A1F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00A5F474
IsIconic.USER32(00000000), ref: 00A5F47D
ShowWindow.USER32(00000000,00000009), ref: 00A5F48A
SetForegroundWindow.USER32(00000000), ref: 00A5F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00A5F4AA
GetCurrentThreadId.KERNEL32 ref: 00A5F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00A5F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 00A5F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00A5F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00A5F4DE
SetForegroundWindow.USER32(00000000), ref: 00A5F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 00A5F4F6
keybd_event.USER32(00000012,00000000), ref: 00A5F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 00A5F50B
keybd_event.USER32(00000012,00000000), ref: 00A5F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 00A5F519
keybd_event.USER32(00000012,00000000), ref: 00A5F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 00A5F528
keybd_event.USER32(00000012,00000000), ref: 00A5F52D
SetForegroundWindow.USER32(00000000), ref: 00A5F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 00A5F557

Strings

Shell_TrayWnd, xrefs: 00A5F46F

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 88e347983c4b528930669197f2242818e207fd99801dee1f0c662ba4c333fa09
Instruction ID: 68c9170181f9d94a10e578f751e1eb8cdd7ee14d2c9f42308a0e4ab92786274e
Opcode Fuzzy Hash: 88e347983c4b528930669197f2242818e207fd99801dee1f0c662ba4c333fa09
Instruction Fuzzy Hash: 7B315371B802187FEB20ABF55C49FBF7E7DEB44B61F110426FA04E61D1DAB15D01AA60

Function 00A61201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00A616C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00A6170D
Part of subcall function 00A616C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00A6173A
Part of subcall function 00A616C3: GetLastError.KERNEL32 ref: 00A6174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00A61286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00A612A8
CloseHandle.KERNEL32(?), ref: 00A612B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00A612D1
GetProcessWindowStation.USER32 ref: 00A612EA
SetProcessWindowStation.USER32(00000000), ref: 00A612F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00A61310

Part of subcall function 00A610BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00A611FC), ref: 00A610D4
Part of subcall function 00A610BF: CloseHandle.KERNEL32(?,?,00A611FC), ref: 00A610E9

Strings

default, xrefs: 00A6130B
winsta0, xrefs: 00A612CC
, xrefs: 00A6125A

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: 014f3b8d26bd5c498267238d70249ebdd38ab00a1bbc696943473b93c8538d78
Instruction ID: 82802d046cc1d5d7bdc951cd94582154360f68a82fcd2e4928deba59f098a624
Opcode Fuzzy Hash: 014f3b8d26bd5c498267238d70249ebdd38ab00a1bbc696943473b93c8538d78
Instruction Fuzzy Hash: 1081ACB1A00208AFDF21DFA4DD49FEE7FB9EF04704F18412AFA11A61A0DB718945CB21

Function 00A60B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A610F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00A61114
Part of subcall function 00A610F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00A60B9B,?,?,?), ref: 00A61120
Part of subcall function 00A610F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00A60B9B,?,?,?), ref: 00A6112F
Part of subcall function 00A610F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00A60B9B,?,?,?), ref: 00A61136
Part of subcall function 00A610F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00A6114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00A60BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00A60C00
GetLengthSid.ADVAPI32(?), ref: 00A60C17
GetAce.ADVAPI32(?,00000000,?), ref: 00A60C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00A60C6D
GetLengthSid.ADVAPI32(?), ref: 00A60C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00A60C8C
HeapAlloc.KERNEL32(00000000), ref: 00A60C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00A60CB4
CopySid.ADVAPI32(00000000), ref: 00A60CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00A60CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00A60D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00A60D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A60D45
HeapFree.KERNEL32(00000000), ref: 00A60D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A60D55
HeapFree.KERNEL32(00000000), ref: 00A60D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A60D65
HeapFree.KERNEL32(00000000), ref: 00A60D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00A60D78
HeapFree.KERNEL32(00000000), ref: 00A60D7F

Part of subcall function 00A61193: GetProcessHeap.KERNEL32(00000008,00A60BB1,?,00000000,?,00A60BB1,?), ref: 00A611A1
Part of subcall function 00A61193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00A60BB1,?), ref: 00A611A8
Part of subcall function 00A61193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00A60BB1,?), ref: 00A611B7

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 41c5bf07fedcd47d9aa570c647570a40ef293943d742f5a40d21e3b4f0abfb57
Instruction ID: c8c94d140490d13fae205c7829b31506447b81d1d39aac262cddd7bb91d3851d
Opcode Fuzzy Hash: 41c5bf07fedcd47d9aa570c647570a40ef293943d742f5a40d21e3b4f0abfb57
Instruction Fuzzy Hash: 90715A72A0021AEFDF10DFE4DC44FAFBBB8BF05310F144616E915A6191DB71AA46CBA0

Function 00A7EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00A9CC08), ref: 00A7EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 00A7EB37
GetClipboardData.USER32(0000000D), ref: 00A7EB43
CloseClipboard.USER32 ref: 00A7EB4F
GlobalLock.KERNEL32(00000000), ref: 00A7EB87
CloseClipboard.USER32 ref: 00A7EB91
GlobalUnlock.KERNEL32(00000000), ref: 00A7EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 00A7EBC9
GetClipboardData.USER32(00000001), ref: 00A7EBD1
GlobalLock.KERNEL32(00000000), ref: 00A7EBE2
GlobalUnlock.KERNEL32(00000000), ref: 00A7EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 00A7EC38
GetClipboardData.USER32(0000000F), ref: 00A7EC44
GlobalLock.KERNEL32(00000000), ref: 00A7EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00A7EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00A7EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00A7ECD2
GlobalUnlock.KERNEL32(00000000), ref: 00A7ECF3
CountClipboardFormats.USER32 ref: 00A7ED14
CloseClipboard.USER32 ref: 00A7ED59

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 2caa1c452baf6b7d276faa9b572c7bd459ce0945142848585f5c1e9e88e784a0
Instruction ID: f4b48c8c64bb1827f052ff54f614680822f35a4eb30b03fcbeafafe2aeef3b1f
Opcode Fuzzy Hash: 2caa1c452baf6b7d276faa9b572c7bd459ce0945142848585f5c1e9e88e784a0
Instruction Fuzzy Hash: BB61E2352042059FD310EF64DD84F6A7BE8AF88714F04C59AF55A872A2DF30DD06CBA2

Function 00A7698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00A769BE
FindClose.KERNEL32(00000000), ref: 00A76A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00A76A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00A76A75

Part of subcall function 00A09CB3: _wcslen.LIBCMT ref: 00A09CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00A76AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00A76ADF

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00A76B6A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00A76B32
%02d, xrefs: 00A76C00, 00A76C0A, 00A76C5A, 00A76CAA, 00A76CFA, 00A76D4A
%03d, xrefs: 00A76DA2
%4d, xrefs: 00A76BB1

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 7f688fbaabb438be620e3c4c53b7c2813290f2e308a150396708ad5d30309272
Instruction ID: ab5b96af7c2bb8b89f1d8b5c09ce0fc754a8eee1510ad17d83a7a2e3c052e2fc
Opcode Fuzzy Hash: 7f688fbaabb438be620e3c4c53b7c2813290f2e308a150396708ad5d30309272
Instruction Fuzzy Hash: 46D14071508344AEC710EBA4DD81EABB7ECAF88704F44491DF589D6191EB74EA48CB62

Function 00A79642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 00A79663
GetFileAttributesW.KERNEL32(?), ref: 00A796A1
SetFileAttributesW.KERNEL32(?,?), ref: 00A796BB
FindNextFileW.KERNEL32(00000000,?), ref: 00A796D3
FindClose.KERNEL32(00000000), ref: 00A796DE
FindFirstFileW.KERNEL32(*.*,?), ref: 00A796FA
SetCurrentDirectoryW.KERNEL32(?), ref: 00A7974A
SetCurrentDirectoryW.KERNEL32(00AC6B7C), ref: 00A79768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00A79772
FindClose.KERNEL32(00000000), ref: 00A7977F
FindClose.KERNEL32(00000000), ref: 00A7978F

Strings

*.*, xrefs: 00A796F5

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 9c85cb2f6af36f5be921f5fba0d05e5380121cd7e9793d05a9bc83e5e9f73d85
Instruction ID: 8782566e2d4e40dfffba7549a72c7fded9ed8d80de69308d6c5494541addf8e7
Opcode Fuzzy Hash: 9c85cb2f6af36f5be921f5fba0d05e5380121cd7e9793d05a9bc83e5e9f73d85
Instruction Fuzzy Hash: 7D319132641619BBDB14EFB4EC49EDF77ACAF09320F10C567E819E2190EB30DD458A24

Function 00A7979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 00A797BE
FindNextFileW.KERNEL32(00000000,?), ref: 00A79819
FindClose.KERNEL32(00000000), ref: 00A79824
FindFirstFileW.KERNEL32(*.*,?), ref: 00A79840
SetCurrentDirectoryW.KERNEL32(?), ref: 00A79890
SetCurrentDirectoryW.KERNEL32(00AC6B7C), ref: 00A798AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 00A798B8
FindClose.KERNEL32(00000000), ref: 00A798C5
FindClose.KERNEL32(00000000), ref: 00A798D5

Part of subcall function 00A6DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00A6DB00

Strings

*.*, xrefs: 00A7983B

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: de82891dde68eacba4051e9672878fa5605e46b5f0a0be35db3ca6eddff377a0
Instruction ID: 408d5e6d0a3d2db329299921105107be86ee06ea27ee109cd17b14c9b404e570
Opcode Fuzzy Hash: de82891dde68eacba4051e9672878fa5605e46b5f0a0be35db3ca6eddff377a0
Instruction Fuzzy Hash: 75319232641A19BADB10EFB4EC48ADF77ACAF06320F14C5A7E818A2190DB30DD458B65

Function 00A8BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A8C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A8B6AE,?,?), ref: 00A8C9B5
Part of subcall function 00A8C998: _wcslen.LIBCMT ref: 00A8C9F1
Part of subcall function 00A8C998: _wcslen.LIBCMT ref: 00A8CA68
Part of subcall function 00A8C998: _wcslen.LIBCMT ref: 00A8CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A8BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 00A8BFA9
RegCloseKey.ADVAPI32(00000000), ref: 00A8BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00A8C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00A8C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00A8C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00A8C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 00A8C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00A8C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00A8C382
RegCloseKey.ADVAPI32(00000000), ref: 00A8C38F

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 64d45a1606eaf632912d6e50c8ce5eb311c0ca631896620e9586992f15d45dfc
Instruction ID: b10af756255bc04c681f09170a71799d8b674ec8f413cb4103f5a9d6475e3950
Opcode Fuzzy Hash: 64d45a1606eaf632912d6e50c8ce5eb311c0ca631896620e9586992f15d45dfc
Instruction Fuzzy Hash: 3A024C71604200AFD714DF24C995E2ABBE5EF49318F18859DF84ACB2A2DB31ED46CF61

Function 00A78195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00A78257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00A78267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00A78273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00A78310
SetCurrentDirectoryW.KERNEL32(?), ref: 00A78324
SetCurrentDirectoryW.KERNEL32(?), ref: 00A78356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00A7838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00A78395

Strings

*.*, xrefs: 00A7839B

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: f92adc2c33add46c576893caaa4250a9455c7a4b97dd1ceaf0e9fc59508ba842
Instruction ID: 9f9647d03d5cb6347370f647a1f15fa05edc008e296b7e9e93017e79f9f61b54
Opcode Fuzzy Hash: f92adc2c33add46c576893caaa4250a9455c7a4b97dd1ceaf0e9fc59508ba842
Instruction Fuzzy Hash: 6B617B726083059FC710EF64D9449AFB3E8FF89324F04892EF99987251DB35E945CB92

Function 00A6D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00A03AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A03A97,?,?,00A02E7F,?,?,?,00000000), ref: 00A03AC2

Part of subcall function 00A6E199: GetFileAttributesW.KERNEL32(?,00A6CF95), ref: 00A6E19A

FindFirstFileW.KERNEL32(?,?), ref: 00A6D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00A6D1DD
MoveFileW.KERNEL32(?,?), ref: 00A6D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 00A6D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 00A6D237

Part of subcall function 00A6D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00A6D21C,?,?), ref: 00A6D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 00A6D253
FindClose.KERNEL32(00000000), ref: 00A6D264

Strings

\*.*, xrefs: 00A6D0CD, 00A6D0D6, 00A6D0EB

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 53c45586540e5dc3c8b9a729db3933a259dfb09b36ed2f62d75c3b1f4b7f9ad2
Instruction ID: cf15d13d552c6397f36c12c50bc8046a2165bd37a110cd98e86bd1a54fcbfebf
Opcode Fuzzy Hash: 53c45586540e5dc3c8b9a729db3933a259dfb09b36ed2f62d75c3b1f4b7f9ad2
Instruction Fuzzy Hash: ED616E31E0110DAFCF05EBE0DA929EEB7B9AF55340F208165E40277192EB316F09DB61

Function 00A7ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00A7ED91
EmptyClipboard.USER32 ref: 00A7ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 00A7EDAC
CloseClipboard.USER32 ref: 00A7EEA3

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: a040cf164879af114f4bd0ac4acaaa046e92f631c9d2fcbdae4e0c999429d129
Instruction ID: d3c94999622950d7402e0ff0a0b42703276a031d8f010414938b9865a329a6e7
Opcode Fuzzy Hash: a040cf164879af114f4bd0ac4acaaa046e92f631c9d2fcbdae4e0c999429d129
Instruction Fuzzy Hash: 3841A335604611AFD720DF55E848F5ABBE5FF48328F14C49AE4198F6A2CB35EC42CB90

Function 00A6E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00A616C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00A6170D
Part of subcall function 00A616C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00A6173A
Part of subcall function 00A616C3: GetLastError.KERNEL32 ref: 00A6174A

ExitWindowsEx.USER32(?,00000000), ref: 00A6E932

Strings

@, xrefs: 00A6E925
, xrefs: 00A6E920
SeShutdownPrivilege, xrefs: 00A6E902
, xrefs: 00A6E95C

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 4b9b211b5ab2929b5c1f032ae0103b807a6c36a445a9a7b6859badefda4782b1
Instruction ID: e81424ea23c5475c83394ae6ec424a7f55874f8d4ac7f179332625150f6712dd
Opcode Fuzzy Hash: 4b9b211b5ab2929b5c1f032ae0103b807a6c36a445a9a7b6859badefda4782b1
Instruction Fuzzy Hash: 3401D67B710211ABFB54E7B49C86FBBB37CAF14750F150822F912E21D1E9A15C4081A0

Function 00A81204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00A81276
WSAGetLastError.WSOCK32 ref: 00A81283
bind.WSOCK32(00000000,?,00000010), ref: 00A812BA
WSAGetLastError.WSOCK32 ref: 00A812C5
closesocket.WSOCK32(00000000), ref: 00A812F4
listen.WSOCK32(00000000,00000005), ref: 00A81303
WSAGetLastError.WSOCK32 ref: 00A8130D
closesocket.WSOCK32(00000000), ref: 00A8133C

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 808bbcb5e3a172b1c11f6609cf6e70504726a9d6d636fe83f3c9a427e18501fa
Instruction ID: bba3b30be8bb6ad7fee0353ffeaba8c2a91a2e72e9bfd151660af15577c2aa18
Opcode Fuzzy Hash: 808bbcb5e3a172b1c11f6609cf6e70504726a9d6d636fe83f3c9a427e18501fa
Instruction Fuzzy Hash: 4141A4316002009FD710EF64D588B69BBE9FF46328F188199D8568F2D6D771ED82CBE1

Function 00A3B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00A3B9D4
_free.LIBCMT ref: 00A3B9F8
_free.LIBCMT ref: 00A3BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00AA3700), ref: 00A3BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,00AD121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00A3BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00AD1270,000000FF,?,0000003F,00000000,?), ref: 00A3BC36
_free.LIBCMT ref: 00A3BD4B

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 337d2ba9d7d35c2eefe436f37753afd75ab74d05a550daa4bf07ec30a994ac65
Instruction ID: cc683b2ec0afd971cf16f4c8c46de76135f53e9973e88ea7eb524f9e9dc820f5
Opcode Fuzzy Hash: 337d2ba9d7d35c2eefe436f37753afd75ab74d05a550daa4bf07ec30a994ac65
Instruction Fuzzy Hash: D5C13671E14204AFCB20DF789D41BAABBBAEF45350F1441AAF695DB251EB308E42C770

Function 00A6D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00A03AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A03A97,?,?,00A02E7F,?,?,?,00000000), ref: 00A03AC2

Part of subcall function 00A6E199: GetFileAttributesW.KERNEL32(?,00A6CF95), ref: 00A6E19A

FindFirstFileW.KERNEL32(?,?), ref: 00A6D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 00A6D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 00A6D481
FindClose.KERNEL32(00000000), ref: 00A6D498
FindClose.KERNEL32(00000000), ref: 00A6D4A1

Strings

\*.*, xrefs: 00A6D3F2

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 8af70b5ad411c1fbdaaccf335ce3c9274d3bf61e955d533b3bb076b441721b32
Instruction ID: c761fe50585831eeb19383369acf1d5d62247898e106155e963818a8e1d8dfad
Opcode Fuzzy Hash: 8af70b5ad411c1fbdaaccf335ce3c9274d3bf61e955d533b3bb076b441721b32
Instruction Fuzzy Hash: 6A317E31508349ABC304EF64D9959AFB7B8AEA1354F444A1EF4D5931D1EF30AE09CB63

Function 00A3E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00A3E645

Strings

1#INF, xrefs: 00A3F852
1#SNAN, xrefs: 00A3F844
1#QNAN, xrefs: 00A3F84B
1#IND, xrefs: 00A3F83D

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 05eea638af8c737b05cddd3958ab0c91e3e0b7198e137ee2e821e86d478a1139
Instruction ID: 72fe6640faeb1650dcb490c15d966699d615cb56d551334843da0872e9ff3513
Opcode Fuzzy Hash: 05eea638af8c737b05cddd3958ab0c91e3e0b7198e137ee2e821e86d478a1139
Instruction Fuzzy Hash: B8C23A71E186298FDB25CF28DD407EAB7B5EB49305F1441EAE84DE7281E774AE818F40

Function 00A7648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00A764DC
CoInitialize.OLE32(00000000), ref: 00A76639
CoCreateInstance.OLE32(00A9FCF8,00000000,00000001,00A9FB68,?), ref: 00A76650
CoUninitialize.OLE32 ref: 00A768D4

Strings

.lnk, xrefs: 00A764BA, 00A76524, 00A765E0

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 67f468ab27ba076d946293aaf95820a6f17c27749911ffbc99b5e2bf99e7769b
Instruction ID: c20675d3c7d2bb5341c0db9faae39a46688f4571bc4b751a136ae612757c4049
Opcode Fuzzy Hash: 67f468ab27ba076d946293aaf95820a6f17c27749911ffbc99b5e2bf99e7769b
Instruction Fuzzy Hash: B7D14971508705AFD304EF24D981A6BB7E8FF98704F00896DF5998B292DB70ED09CB92

Function 00A822DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00A822E8

Part of subcall function 00A7E4EC: GetWindowRect.USER32(?,?), ref: 00A7E504

GetDesktopWindow.USER32 ref: 00A82312
GetWindowRect.USER32(00000000), ref: 00A82319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00A82355
GetCursorPos.USER32(?), ref: 00A82381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00A823DF

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 06615c6784dd480777fbdc51f32a617cc44cdbcd014d5f29498abab5b3fe0271
Instruction ID: 203801514e02d8e13ac83caba65dd5d7319090402c0f9c62c08b763b9d3e984b
Opcode Fuzzy Hash: 06615c6784dd480777fbdc51f32a617cc44cdbcd014d5f29498abab5b3fe0271
Instruction Fuzzy Hash: A331E372604315AFC720EF54C845F6BB7E9FF84710F00091AF9859B181DB34E909CB92

Function 00A79B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00A09CB3: _wcslen.LIBCMT ref: 00A09CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00A79B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00A79C8B

Part of subcall function 00A73874: GetInputState.USER32 ref: 00A738CB
Part of subcall function 00A73874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A73966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00A79BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00A79C75

Strings

*.*, xrefs: 00A79B5D

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: bd65ffd4c1822e3a9a6d5541a791ec5d36b58f3b12db4d6d84dc2a5efeb3cc77
Instruction ID: ce81f34bc8226e725baaf58b6617ed3107c54d36c69d32a26f3faafbb3e63233
Opcode Fuzzy Hash: bd65ffd4c1822e3a9a6d5541a791ec5d36b58f3b12db4d6d84dc2a5efeb3cc77
Instruction Fuzzy Hash: B2415E7190060AAFCF15DFA4DD95AEFBBB8EF05310F24C156E409A2191EB309E84CF61

Function 00A1997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00A19BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A19BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00A19A4E
GetSysColor.USER32(0000000F), ref: 00A19B23
SetBkColor.GDI32(?,00000000), ref: 00A19B36

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: cf28e923cfe8521f7856aa6d4cc752e5a525e17d1a84596a5250cabc659212a3
Instruction ID: a8a9e65be283d2df8af743040be4f942121dcbd2f323bd9aa55ea1a240e20ec4
Opcode Fuzzy Hash: cf28e923cfe8521f7856aa6d4cc752e5a525e17d1a84596a5250cabc659212a3
Instruction Fuzzy Hash: 94A13A70208414BEE725DB3CADB8DFF36EDEF46381B14010AF802D6591CA359D8AD272

Function 00A81806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00A8304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00A8307A
Part of subcall function 00A8304E: _wcslen.LIBCMT ref: 00A8309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00A8185D
WSAGetLastError.WSOCK32 ref: 00A81884
bind.WSOCK32(00000000,?,00000010), ref: 00A818DB
WSAGetLastError.WSOCK32 ref: 00A818E6
closesocket.WSOCK32(00000000), ref: 00A81915

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: dc1fde3901f8495dd6e46e88eb8c9ddd88af724c4410cdb08c4998d48d5d44d6
Instruction ID: 93c76d8c61df6a59e72af3c6e88f902f62194c04e0702dc9f6adc82254ac4ebb
Opcode Fuzzy Hash: dc1fde3901f8495dd6e46e88eb8c9ddd88af724c4410cdb08c4998d48d5d44d6
Instruction Fuzzy Hash: 0451C671A00204AFDB10EF64D986F6A77E5AB44718F048498F9065F3D3DB71AD82CBE1

Function 00A91C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00A91CC0
IsWindowEnabled.USER32 ref: 00A91CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00A91CDB
IsIconic.USER32 ref: 00A91CE9
IsZoomed.USER32 ref: 00A91CF7

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: f7f8a688b3e8a767d166d4319ccd2d9bf8e1fd7520de78c7b1e019c2c1650cde
Instruction ID: 5a070d1f0d2e04be60df7504d3adbc50dc200f0380ff4a81dfabaae95c19d07e
Opcode Fuzzy Hash: f7f8a688b3e8a767d166d4319ccd2d9bf8e1fd7520de78c7b1e019c2c1650cde
Instruction Fuzzy Hash: 4121A4317806125FDB208F2AD884F6A7BE5EF95325F198069E846CB351DB71EC42CB90

Function 00A08060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00A083E8
VUUU, xrefs: 00A45DF0
VUUU, xrefs: 00A0843C
ERCP, xrefs: 00A0813C
VUUU, xrefs: 00A083FA

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: edc4f238927e8856accc07e524383143250b972c5052221f58cd80aa3ba61a76
Instruction ID: de6f712b2687357583e77d70d9b9a218ddf61e512383a0c94a65706ce9e2bf47
Opcode Fuzzy Hash: edc4f238927e8856accc07e524383143250b972c5052221f58cd80aa3ba61a76
Instruction Fuzzy Hash: EAA2B074E0061ECBDF24CF58D8407AEB7B1BF84310F2481AAE855AB285EB759D81CF95

Function 00A6AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00A6AAAC
SetKeyboardState.USER32(00000080), ref: 00A6AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00A6AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00A6AB88

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 9a3baf302f12c1989412153bb6e36dd0a2bbf6bc06fca394b77cc8a24574a760
Instruction ID: 70b33c26155c41b25e59f7032e3c27d8a90bb76fca780f962c5419d4d4ff4da2
Opcode Fuzzy Hash: 9a3baf302f12c1989412153bb6e36dd0a2bbf6bc06fca394b77cc8a24574a760
Instruction Fuzzy Hash: 1D31F430A40648AEFB35CB658C05BFE7BBAEB65320F04421BF591A61D1D7758D81CB62

Function 00A7CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 00A7CE89
GetLastError.KERNEL32(?,00000000), ref: 00A7CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 00A7CEFE

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 58ec462610557f04b89fdad6e36406f6898a850384882e3844fa6763b5850b03
Instruction ID: d72aceda207dcb840fe8e5db94f25cff25c327f7417f405239877efd97e1c41b
Opcode Fuzzy Hash: 58ec462610557f04b89fdad6e36406f6898a850384882e3844fa6763b5850b03
Instruction Fuzzy Hash: 3F219AB1600705ABEB20DFA5DD48BA7B7F8EB40364F10C42EE54A92151EB70EE458B64

Function 00A68298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00A682AA

Strings

|, xrefs: 00A682DA
(, xrefs: 00A682F0

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 7f895db7abbd7a3e119782d54fdd5247b9b28af447bc4d49a571b1b9f17393d5
Instruction ID: 16cfa3c30f9a02ef9e1ef5d5589739212289e2196a6812f0e7fa3049fbb41920
Opcode Fuzzy Hash: 7f895db7abbd7a3e119782d54fdd5247b9b28af447bc4d49a571b1b9f17393d5
Instruction Fuzzy Hash: B7323574A00605DFCB28CF59C080AAAB7F4FF48710B15C56EE59ADB3A1EB74E981CB40

Function 00A75C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00A75CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00A75D17
FindClose.KERNEL32(?), ref: 00A75D5F

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: f8a680d2b511c6bcc0d2ef5d6552ab7cfca9c4c0be6b71830f40abfa8d0dcaef
Instruction ID: 01ff93a2070f710ce1475974ccf74431c687a5b3e87ce893c82544b9367b2529
Opcode Fuzzy Hash: f8a680d2b511c6bcc0d2ef5d6552ab7cfca9c4c0be6b71830f40abfa8d0dcaef
Instruction Fuzzy Hash: C4519874A04A019FC714CF28D894A9AB7E4FF09324F14855EE95A8B3A2DB70FC04CB91

Function 00A32622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00A3271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00A32724
UnhandledExceptionFilter.KERNEL32(?), ref: 00A32731

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 7713b1f5f60894e0394c2c73d76a76ea6c011e84e9648a57828367c3ecbd8f6a
Instruction ID: 81758ca0a71427e773f9808ce0d6a4fe4e61bc68011f750a0e1def995949f012
Opcode Fuzzy Hash: 7713b1f5f60894e0394c2c73d76a76ea6c011e84e9648a57828367c3ecbd8f6a
Instruction Fuzzy Hash: 3931B774911228ABCB21DF68DD89BDDB7B8BF08310F5041EAE81CA7261E7309F818F45

Function 00A751CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00A751DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00A75238
SetErrorMode.KERNEL32(00000000), ref: 00A752A1

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 8cc925b51fd3d574ce22d5148f126bc43c532a361eec6935cec576088942bd8e
Instruction ID: 96ec4b32ac6f2f6e4b3d7101ff553530f550592a113f720787b3e165b273d8ec
Opcode Fuzzy Hash: 8cc925b51fd3d574ce22d5148f126bc43c532a361eec6935cec576088942bd8e
Instruction Fuzzy Hash: 7B313075A00518DFDB00DF94D884EEDBBB4FF49314F148099E909AB3A2DB71E856CB91

Function 00A616C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00A1FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00A20668
Part of subcall function 00A1FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00A20685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00A6170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00A6173A
GetLastError.KERNEL32 ref: 00A6174A

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 1d72fec4ec7121026bbcc8d63a619d245e442d31c8553e38c1ce68d9e8ffe0a5
Instruction ID: cafab7c012290eb4c5e0f622d441ddaf9217efa06ab582967898ffce393c76eb
Opcode Fuzzy Hash: 1d72fec4ec7121026bbcc8d63a619d245e442d31c8553e38c1ce68d9e8ffe0a5
Instruction Fuzzy Hash: 9D1191B2504304AFD718DF54EC86DABBBB9EB44764B24852EE05657641EB70BC418B60

Function 00A6D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00A6D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00A6D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00A6D650

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 5ea5cd7c6dce21e6b2a79d177525ca7337dbde20eacd7a1a11e0ee985318b88e
Instruction ID: ac9f3fe9b2170a0bc570e220fc66162fdef2d61850da9a04a7a1b0f2e1604a62
Opcode Fuzzy Hash: 5ea5cd7c6dce21e6b2a79d177525ca7337dbde20eacd7a1a11e0ee985318b88e
Instruction Fuzzy Hash: 92115E75E05228BFDB10CF99DC45FAFBBBCEB45B60F108116F904E7290D6704A058BA1

Function 00A61663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00A6168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00A616A1
FreeSid.ADVAPI32(?), ref: 00A616B1

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 3f6f2c7a4ad22cd8067cb67ceff4b42224f498dbd45613d54a3d5d41ea9c1bea
Instruction ID: bef22bac277665b4ddaa0c2da8afc33ffd77a0cc0b805f2c048d5d5bd0361bb4
Opcode Fuzzy Hash: 3f6f2c7a4ad22cd8067cb67ceff4b42224f498dbd45613d54a3d5d41ea9c1bea
Instruction Fuzzy Hash: 82F0F475A50309FBDF00DFE4DD89AAEBBBCEB08614F504565E501E2191E774AA448A50

Function 00A3C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 00A3C36C

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: faa9f00f5286fd2e4aeea13a418b4a7fb511aa897b3070159a76abff94784bdd
Instruction ID: bd8598bb8935783dcd53fd4b1a5a583f1b3f52cb1af926b7b2d56d35a5722ba7
Opcode Fuzzy Hash: faa9f00f5286fd2e4aeea13a418b4a7fb511aa897b3070159a76abff94784bdd
Instruction Fuzzy Hash: 76413B765002196FCB20EFB9DC49EBBB7B8EB84324F104269F915EB180E670AD41CB50

Function 00A5D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00A5D28C

Strings

X64, xrefs: 00A5D2A8

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 5ee545017074bcae45b77ad35fab3d917c6e5ee2944ef94992ee6d22a4ffddfb
Instruction ID: 347d2718970737e2d56fb52caff8ad8fd72409345c49f9bf3566ceb7775e59ac
Opcode Fuzzy Hash: 5ee545017074bcae45b77ad35fab3d917c6e5ee2944ef94992ee6d22a4ffddfb
Instruction Fuzzy Hash: 7FD0CAB480112DEECBA0CBA0EC88DDEB3BCBB08306F100292F506A2000DB7096898F20

Function 00A2CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: ae1d8de887f9af6c63cc42d0b1aff3a5a8ea30e897983a1cfacfe6d47d98466f
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: A4021E71E002299FDF14CFADD9806ADFBF1EF48324F254169D919E7344D731AA418B94

Function 00A768EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00A76918
FindClose.KERNEL32(00000000), ref: 00A76961

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: ad94bd443d98613fdbd439cc15a8a376ecb9a1feebfcd0dbe0a1df5f590e3edb
Instruction ID: 7d8dd749b2cdee99030c06fa98fed89ee74d4d463beaf497ee4df6d4f3b5ac28
Opcode Fuzzy Hash: ad94bd443d98613fdbd439cc15a8a376ecb9a1feebfcd0dbe0a1df5f590e3edb
Instruction Fuzzy Hash: 501190716046019FC710DF69D884B16BBE5FF85328F14C6A9E5698F6A2CB30EC45CB91

Function 00A737B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00A84891,?,?,00000035,?), ref: 00A737E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00A84891,?,?,00000035,?), ref: 00A737F4

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: a229ebea0a2e28f66e1274f9c52aef577151e578953068837c79c5dfc3f0c763
Instruction ID: c991a245bfd32c89a9b6ecf0b11cf528df9a5edbeedf6910bde9d09a0c3a6431
Opcode Fuzzy Hash: a229ebea0a2e28f66e1274f9c52aef577151e578953068837c79c5dfc3f0c763
Instruction Fuzzy Hash: 19F0E5B17042282AEB20A7A69D4DFEB7BAEEFC4771F004166F509D2281D9609945C6B0

Function 00A6B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00A6B25D
keybd_event.USER32(?,75A4C0D0,?,00000000), ref: 00A6B270

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 4f62fcc3e55e0973ec466033a65d74dc1ffa8723120befb3c5fa830a138cbb78
Instruction ID: 22a3c702433179d98331e9469d7fedb767e5eb2e33b6bfba126c508635076559
Opcode Fuzzy Hash: 4f62fcc3e55e0973ec466033a65d74dc1ffa8723120befb3c5fa830a138cbb78
Instruction Fuzzy Hash: F3F06D7090428DABDB05CFA0C805BEE7BB0FF04315F00800AF951A5192C77982019FA4

Function 00A610BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00A611FC), ref: 00A610D4
CloseHandle.KERNEL32(?,?,00A611FC), ref: 00A610E9

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: b6d0b1f7d46b9a74aba52627a7c837746ee7b7049e114a140b99f5b675374474
Instruction ID: 2503733a2e14bf1a104174b96e85aeaf9168eee7867e27c2abc26fd1fc2867b7
Opcode Fuzzy Hash: b6d0b1f7d46b9a74aba52627a7c837746ee7b7049e114a140b99f5b675374474
Instruction Fuzzy Hash: 0FE04F32008640AEEB252B51FD05EB77BA9EB04320F14882EF5A5804B1DF626CE0DB10

Function 00A0CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00A50C40

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: 210ddb886ab4cc3a01d7ad04be8cf1c61fc7e445e4fe811b770dea698428b4ca
Instruction ID: f9ad4a61b45dac28938f3ec9d4ba142203652b07f4180ddefe91cf6ba7e3a797
Opcode Fuzzy Hash: 210ddb886ab4cc3a01d7ad04be8cf1c61fc7e445e4fe811b770dea698428b4ca
Instruction Fuzzy Hash: E932AA7090021CDBDF14DF90E991EEDB7B5BF05314F208259E806AB2D2DB35AE4ACB61

Function 00A3676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00A36766,?,?,00000008,?,?,00A3FEFE,00000000), ref: 00A36998

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 892d1cc29c31286d0412567438c41c851415fdcccff6685a6562a879bdc5989f
Instruction ID: 72197074161b3fda627a2718e9ee361849ab5f6b6f50a4c121101b44659bb75b
Opcode Fuzzy Hash: 892d1cc29c31286d0412567438c41c851415fdcccff6685a6562a879bdc5989f
Instruction Fuzzy Hash: 94B11771610609AFD719CF28C48AB657BB0FF49364F29C658F899CF2A2C735E991CB40

Function 00A1B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 00A5851F

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 4bafa4c74f206d1001e9561f3f0a18dcbd3bb02d6ca7d0503a873e4fb53d82d7
Instruction ID: 709b777902c7062dfc75fc9365ed15f57095e3d2271b5b80eec599a5cdf6d0ac
Opcode Fuzzy Hash: 4bafa4c74f206d1001e9561f3f0a18dcbd3bb02d6ca7d0503a873e4fb53d82d7
Instruction Fuzzy Hash: C3127E75A10229DFDB14CF58C9806EEB7F5FF48310F14819AE849EB255EB349A85CBA0

Function 00A7EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00A7EABD

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: d590014e92ea3ce0cbf839b378c9a304ef6d77101119feb1347cb1527037c55a
Instruction ID: 3fffc177f0480c529af6dc68129b7a1ebb333f94d5d98d0f013e0820e37bc7f9
Opcode Fuzzy Hash: d590014e92ea3ce0cbf839b378c9a304ef6d77101119feb1347cb1527037c55a
Instruction Fuzzy Hash: 43E01A312102049FC710EF59E904E9AB7E9AF987B0F00C456FD4AC7291DA70A8418BA1

Function 00A209D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00A203EE), ref: 00A209DA

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 03c5ebeebb505a73403c4755c212c92274d716d063093cb84834dcaf5533da5b
Instruction ID: b25d9550704e17ee3b78264013852b7410dcbc45927524f751f9c67a0e4a7471
Opcode Fuzzy Hash: 03c5ebeebb505a73403c4755c212c92274d716d063093cb84834dcaf5533da5b
Instruction Fuzzy Hash:

Function 00A2781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 00A2798B

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 7e0900dcf94dfc432b0c39211e04a348e422927046d3c8accb176417e24a691d
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 2051657160D7355BDB38877CBA5ABBE23E99B02340F180539E982D7282CA15EFC1D352

Function 00A36DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 867c22394bd36280889705be10a4cf30a4d1107b52c0c5b9263e2e6b3f5fc1f4
Instruction ID: cf134811c8c2222e6372aceafef5df2de945b4b97fea2301750fbfe21172324f
Opcode Fuzzy Hash: 867c22394bd36280889705be10a4cf30a4d1107b52c0c5b9263e2e6b3f5fc1f4
Instruction Fuzzy Hash: D0321361D29F024DD7379638C82233AA649AFB73C5F15D727F81AB5DA6EB29C4C34200

Function 00A1CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83fc195d1a1998d543aaff46c728361404ddae1b71b161f8cdba876c4e32a19b
Instruction ID: 407976d5d7f55fb1a2abea5409aa0057d8ff30271969e026d35de61db8e245dd
Opcode Fuzzy Hash: 83fc195d1a1998d543aaff46c728361404ddae1b71b161f8cdba876c4e32a19b
Instruction Fuzzy Hash: E1322732A003158FDF28CB69C4906BD7BB1FB45372F298166DC49DB699E234DD89DB80

Function 00A07920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88346f6ae383d99f85bb615fb531c81f24c87a7191b71de21d96c7685bc1b2b7
Instruction ID: 593bad9e3c634257f4afefd47939a7fa6ebe28779bc0c3d9c3d8a997b9063c61
Opcode Fuzzy Hash: 88346f6ae383d99f85bb615fb531c81f24c87a7191b71de21d96c7685bc1b2b7
Instruction Fuzzy Hash: BF22BF74E04609DFDF14CFA4D981AAEB3F6FF44300F244629E816AB292EB35AD55CB50

Function 00A091C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e882a93ae521d910821453b38311fa07e34c9ea97c1e9ee07ba630415c661205
Instruction ID: 3a333357dc28fc112ee46b2bdf72d9da77d10267e0f3ac6e344d81fb358570a2
Opcode Fuzzy Hash: e882a93ae521d910821453b38311fa07e34c9ea97c1e9ee07ba630415c661205
Instruction Fuzzy Hash: B502C5B5E00209EFDF04DF54D981AAEB7B5FF44340F118169E8169B2D1EB31AE61CB91

Function 00A39EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a5b5b0f33fcf2d458431d9d07772f011d0cbef9fcd8c5d437b35a51533afd0
Instruction ID: 5a5da4b337ced77232686a5e9b0691c50b80514c685e859b36787f6ac9bc2c99
Opcode Fuzzy Hash: b4a5b5b0f33fcf2d458431d9d07772f011d0cbef9fcd8c5d437b35a51533afd0
Instruction Fuzzy Hash: D1B12321D2AF514DCB2396798831336F64CAFBB6D5F91D31BFC2678D62EB2286834140

Function 00A21C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 9f63f09eed24a604170686eff54e0a245e1433b68c9a9ae7aff67c06088004f9
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: F59146725080B34ADB2D473EA57447EFFE15AA23A131A07BED4F2CA1C5FE24D954D620

Function 00A21F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 7e1e520df0ed3c38a0d789de0a25d670fdecc85d2b3dd7c26da806b825fed946
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 2B9153722090B359DB2D433D957453EFEE15A923A131A07BEE4F2CA1D5EE24C964E720

Function 00A219B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: c19ef142046ce809b5d94ee4eeb7d54e64f11c46b4b0399e15ef66394d47e176
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: A59121722090B34ADB2D477EA57443EFFF15AA23A231A07BED4F2CA1C5FE2485549620

Function 00A27A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52144c55a5c3735529d48f3c121678d91d88ecf96de2cfe8a8ff28c48ca960ac
Instruction ID: 89cfa1fe507ba53a974280a90fd7f55e02b6e3b63650b5826a02fb4bf3129c6a
Opcode Fuzzy Hash: 52144c55a5c3735529d48f3c121678d91d88ecf96de2cfe8a8ff28c48ca960ac
Instruction Fuzzy Hash: C661457120873996DF389B2CBAA6BBE23A5DF41750F20093AF843DB281DA15DF428355

Function 00A27CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39a3a0efe44d6d0ef0058cb215590d0cf3b383e254752051cd67706d68f81a83
Instruction ID: a8902d56ba2f3431143b4edeb6dd37adbcc52c4febd15d30e67f48633c04372a
Opcode Fuzzy Hash: 39a3a0efe44d6d0ef0058cb215590d0cf3b383e254752051cd67706d68f81a83
Instruction Fuzzy Hash: 5A617A7560873957DE388B2C7951BBF2394EF42700F100979F843DB681DA16EF428B66

Function 00A21706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: e3a08d14102ee5b3585d34d173e957329c33639147aa5ffaf699d363cdb04fbc
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: F48174726090B349DB6D473E957443EFFE15AA23A131A07BDD4F2CB1C1EE24CA54E660

Function 00A72046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a67bcc82d19ef5a1b258104fd8971417df9c54bda69be35bcc7ab96f72d81f4
Instruction ID: df0c11b0af2253074080a84eb35774a917fc20208708876ddf2140d9bd33b1c0
Opcode Fuzzy Hash: 2a67bcc82d19ef5a1b258104fd8971417df9c54bda69be35bcc7ab96f72d81f4
Instruction Fuzzy Hash: B22193326216118BDB28CF79C82277A73E5A764310F19CA2EE4A7C37D0DE35A905CB90

Function 00A82ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00A82B30
DeleteObject.GDI32(00000000), ref: 00A82B43
DestroyWindow.USER32 ref: 00A82B52
GetDesktopWindow.USER32 ref: 00A82B6D
GetWindowRect.USER32(00000000), ref: 00A82B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00A82CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00A82CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A82CF8
GetClientRect.USER32(00000000,?), ref: 00A82D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00A82D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A82D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A82D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A82D80
GlobalLock.KERNEL32(00000000), ref: 00A82D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A82D98
GlobalUnlock.KERNEL32(00000000), ref: 00A82DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A82DA8
GlobalFree.KERNEL32(00000000), ref: 00A82DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A82DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,00A9FC38,00000000), ref: 00A82DDB
GlobalFree.KERNEL32(00000000), ref: 00A82DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00A82E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00A82E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A82E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A8303F

Strings

, xrefs: 00A82FC5
DISPLAY, xrefs: 00A82EA2
AutoIt v3, xrefs: 00A82CF2
static, xrefs: 00A82D3A, 00A82E91

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: cc5dbec8f350ca4eb34878ee44529f1d8f58a04ca86a090964757f59875af7e2
Instruction ID: 5fcbaf6f130b5423063d975f4884514cba3f98dfac21368e2df761ca957571b3
Opcode Fuzzy Hash: cc5dbec8f350ca4eb34878ee44529f1d8f58a04ca86a090964757f59875af7e2
Instruction Fuzzy Hash: 6B028075600208AFDB14DFA4DD89EAE7BB9FF48724F108159F915AB2A1DB70ED01CB60

Function 00A970D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00A9712F
GetSysColorBrush.USER32(0000000F), ref: 00A97160
GetSysColor.USER32(0000000F), ref: 00A9716C
SetBkColor.GDI32(?,000000FF), ref: 00A97186
SelectObject.GDI32(?,?), ref: 00A97195
InflateRect.USER32(?,000000FF,000000FF), ref: 00A971C0
GetSysColor.USER32(00000010), ref: 00A971C8
CreateSolidBrush.GDI32(00000000), ref: 00A971CF
FrameRect.USER32(?,?,00000000), ref: 00A971DE
DeleteObject.GDI32(00000000), ref: 00A971E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00A97230
FillRect.USER32(?,?,?), ref: 00A97262
GetWindowLongW.USER32(?,000000F0), ref: 00A97284

Part of subcall function 00A973E8: GetSysColor.USER32(00000012), ref: 00A97421
Part of subcall function 00A973E8: SetTextColor.GDI32(?,?), ref: 00A97425
Part of subcall function 00A973E8: GetSysColorBrush.USER32(0000000F), ref: 00A9743B
Part of subcall function 00A973E8: GetSysColor.USER32(0000000F), ref: 00A97446
Part of subcall function 00A973E8: GetSysColor.USER32(00000011), ref: 00A97463
Part of subcall function 00A973E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00A97471
Part of subcall function 00A973E8: SelectObject.GDI32(?,00000000), ref: 00A97482
Part of subcall function 00A973E8: SetBkColor.GDI32(?,00000000), ref: 00A9748B
Part of subcall function 00A973E8: SelectObject.GDI32(?,?), ref: 00A97498
Part of subcall function 00A973E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00A974B7
Part of subcall function 00A973E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00A974CE
Part of subcall function 00A973E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00A974DB

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 3f139e6f9d43591f2f992fce8a212a6082bb5819a70d03057d170effc01323fc
Instruction ID: 3f7f9339e4ef0f72ea0a67091e4994bf1b300b26e58dc3609c5159341ff447f3
Opcode Fuzzy Hash: 3f139e6f9d43591f2f992fce8a212a6082bb5819a70d03057d170effc01323fc
Instruction Fuzzy Hash: F1A17E72218701AFDB01DFA4DC48A6F7BE9FB49330F100B1AF962961E1DB71E9458B61

Function 00A18D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00A18E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00A56AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00A56AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00A56F43

Part of subcall function 00A18F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00A18BE8,?,00000000,?,?,?,?,00A18BBA,00000000,?), ref: 00A18FC5

SendMessageW.USER32(?,00001053), ref: 00A56F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00A56F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00A56FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00A56FB7

Strings

0, xrefs: 00A56DCF

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 2c79c71cbd7805ceceb42c04419673251181fae06c8f3c2f89c13b6bdaeb1617
Instruction ID: fc790788acd74d2b997266692333efe736b260d53be0b484b331011eae99bec2
Opcode Fuzzy Hash: 2c79c71cbd7805ceceb42c04419673251181fae06c8f3c2f89c13b6bdaeb1617
Instruction Fuzzy Hash: 2912BE30601601EFDB25CF24C954BAAB7F1FB45312F94446AF885CB2A2CB35EC9ACB51

Function 00A82711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00A8273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00A8286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00A828A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00A828B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00A82900
GetClientRect.USER32(00000000,?), ref: 00A8290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00A82955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00A82964
GetStockObject.GDI32(00000011), ref: 00A82974
SelectObject.GDI32(00000000,00000000), ref: 00A82978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00A82988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00A82991
DeleteDC.GDI32(00000000), ref: 00A8299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00A829C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 00A829DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00A82A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00A82A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00A82A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00A82A77
GetStockObject.GDI32(00000011), ref: 00A82A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00A82A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00A82A97

Strings

DISPLAY, xrefs: 00A8295A
AutoIt v3, xrefs: 00A828F8
static, xrefs: 00A8294F, 00A82A71
msctls_progress32, xrefs: 00A82A13

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 93a7229a2e27c095e7cd8b8c09781008f352a8b2599986d85837fef097d82c8b
Instruction ID: 32f13957a632c7586e92548d0f8182c8c3cfd5bbeed83986cef9c83de6f2f6f6
Opcode Fuzzy Hash: 93a7229a2e27c095e7cd8b8c09781008f352a8b2599986d85837fef097d82c8b
Instruction Fuzzy Hash: 7FB16D71A00619BFEB14DFA8DD49FAE7BA9EB08710F004115FA15EB2D0DB70AD41CBA4

Function 00A74ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00A74AED
GetDriveTypeW.KERNEL32(?,00A9CB68,?,\\.\,00A9CC08), ref: 00A74BCA
SetErrorMode.KERNEL32(00000000,00A9CB68,?,\\.\,00A9CC08), ref: 00A74D36

Strings

RAMDisk, xrefs: 00A74BF4
ATAPI, xrefs: 00A74C91
MMC, xrefs: 00A74CDE
USB, xrefs: 00A74CB4
iSCSI, xrefs: 00A74CC2
Removable, xrefs: 00A74C10, 00A74C15
CDROM, xrefs: 00A74BFB
SATA, xrefs: 00A74CD0
SAS, xrefs: 00A74CC9
SSD, xrefs: 00A74C4A
RAID, xrefs: 00A74CBB
FileBackedVirtual, xrefs: 00A74CEC
PhysicalDrive, xrefs: 00A74B76
SCSI, xrefs: 00A74C8A
ATA, xrefs: 00A74C98
\\.\, xrefs: 00A74B3F
1394, xrefs: 00A74C9F
SSA, xrefs: 00A74CA6
Unknown, xrefs: 00A74BED, 00A74C83
Fibre, xrefs: 00A74CAD
Fixed, xrefs: 00A74C09
Virtual, xrefs: 00A74CE5
Network, xrefs: 00A74C02

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 143a5421841af1a43853704a53bfe8cbd179b9e88d11e495a05d94a87eacdf74
Instruction ID: 640e08b8a936a4e0a1e89b603b7c5eb8bc3ac1867f1fc095471360616e17db5c
Opcode Fuzzy Hash: 143a5421841af1a43853704a53bfe8cbd179b9e88d11e495a05d94a87eacdf74
Instruction Fuzzy Hash: 80618F31705509ABCB16DF28CE82E6977B0BF4C344B25C419F80AAB692DB35ED41DB51

Function 00A973E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00A97421
SetTextColor.GDI32(?,?), ref: 00A97425
GetSysColorBrush.USER32(0000000F), ref: 00A9743B
GetSysColor.USER32(0000000F), ref: 00A97446
CreateSolidBrush.GDI32(?), ref: 00A9744B
GetSysColor.USER32(00000011), ref: 00A97463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00A97471
SelectObject.GDI32(?,00000000), ref: 00A97482
SetBkColor.GDI32(?,00000000), ref: 00A9748B
SelectObject.GDI32(?,?), ref: 00A97498
InflateRect.USER32(?,000000FF,000000FF), ref: 00A974B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00A974CE
GetWindowLongW.USER32(00000000,000000F0), ref: 00A974DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00A9752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00A97554
InflateRect.USER32(?,000000FD,000000FD), ref: 00A97572
DrawFocusRect.USER32(?,?), ref: 00A9757D
GetSysColor.USER32(00000011), ref: 00A9758E
SetTextColor.GDI32(?,00000000), ref: 00A97596
DrawTextW.USER32(?,00A970F5,000000FF,?,00000000), ref: 00A975A8
SelectObject.GDI32(?,?), ref: 00A975BF
DeleteObject.GDI32(?), ref: 00A975CA
SelectObject.GDI32(?,?), ref: 00A975D0
DeleteObject.GDI32(?), ref: 00A975D5
SetTextColor.GDI32(?,?), ref: 00A975DB
SetBkColor.GDI32(?,?), ref: 00A975E5

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 7da271ec02a1744e5231cc5804a92fea63f0fd7ee6571fe4aa7bed10c60e2ddf
Instruction ID: af83de6b4bdddf7b1da171778d7ef182b1d95fc76f0caf9a5cfdf70d2c48096d
Opcode Fuzzy Hash: 7da271ec02a1744e5231cc5804a92fea63f0fd7ee6571fe4aa7bed10c60e2ddf
Instruction Fuzzy Hash: 9F615F76A00618AFDF01DFA4DC49EEE7FB9EB08330F114116F915AB2A1DB749941CBA0

Function 00A90FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00A91128
GetDesktopWindow.USER32 ref: 00A9113D
GetWindowRect.USER32(00000000), ref: 00A91144
GetWindowLongW.USER32(?,000000F0), ref: 00A91199
DestroyWindow.USER32(?), ref: 00A911B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00A911ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00A9120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00A9121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00A91232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00A91245
IsWindowVisible.USER32(00000000), ref: 00A912A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00A912BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00A912D0
GetWindowRect.USER32(00000000,?), ref: 00A912E8
MonitorFromPoint.USER32(?,?,00000002), ref: 00A9130E
GetMonitorInfoW.USER32(00000000,?), ref: 00A91328
CopyRect.USER32(?,?), ref: 00A9133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 00A913AA

Strings

(, xrefs: 00A9131B
tooltips_class32, xrefs: 00A911E6
0, xrefs: 00A910D3

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 0950119a250d4d1198f87dfcddfcfb42bf703d167cfcc5964123995ba6a1d8f0
Instruction ID: 3ec1c52be4f062f1a1a76b95e4f386659a67a63c15eb61983e9c1d324747ea47
Opcode Fuzzy Hash: 0950119a250d4d1198f87dfcddfcfb42bf703d167cfcc5964123995ba6a1d8f0
Instruction Fuzzy Hash: 4CB16B71604341AFDB00DF64D984B6BBBE4FF88354F00891DF99A9B2A1CB31E845CBA1

Function 00A90241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00A902E5
_wcslen.LIBCMT ref: 00A9031F
_wcslen.LIBCMT ref: 00A90389
_wcslen.LIBCMT ref: 00A903F1
_wcslen.LIBCMT ref: 00A90475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00A904C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00A90504

Part of subcall function 00A1F9F2: _wcslen.LIBCMT ref: 00A1F9FD

Part of subcall function 00A6223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00A62258
Part of subcall function 00A6223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00A6228A

Strings

SELECTINVERT, xrefs: 00A9057E
VIEWCHANGE, xrefs: 00A90675
SELECTCLEAR, xrefs: 00A9052D
GETSELECTED, xrefs: 00A905E1
GETITEMCOUNT, xrefs: 00A90316, 00A90337
SELECT, xrefs: 00A90548
FINDITEM, xrefs: 00A90627
GETSELECTEDCOUNT, xrefs: 00A90470, 00A9048B
GETSUBITEMCOUNT, xrefs: 00A90384, 00A9039F
SELECTALL, xrefs: 00A90515
ISSELECTED, xrefs: 00A904DD
GETTEXT, xrefs: 00A903EC, 00A90407
DESELECT, xrefs: 00A9059C

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: a137fb47b92875a20b38a38d9d95ba719e96ed3f19f8204076880c40446ac872
Instruction ID: bf3880c15d65e97cadaceffdd9621b15a239b27df79d519ffd6e48438a4e97df
Opcode Fuzzy Hash: a137fb47b92875a20b38a38d9d95ba719e96ed3f19f8204076880c40446ac872
Instruction Fuzzy Hash: B9E1AD313082019FCB14DF24CA51D6EB7E6BFC8794B15896CF8969B2A1DB30ED45CB51

Function 00A18891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00A18968
GetSystemMetrics.USER32(00000007), ref: 00A18970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00A1899B
GetSystemMetrics.USER32(00000008), ref: 00A189A3
GetSystemMetrics.USER32(00000004), ref: 00A189C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00A189E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00A189F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00A18A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00A18A3C
GetClientRect.USER32(00000000,000000FF), ref: 00A18A5A
GetStockObject.GDI32(00000011), ref: 00A18A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00A18A81

Part of subcall function 00A1912D: GetCursorPos.USER32(?), ref: 00A19141
Part of subcall function 00A1912D: ScreenToClient.USER32(00000000,?), ref: 00A1915E
Part of subcall function 00A1912D: GetAsyncKeyState.USER32(00000001), ref: 00A19183
Part of subcall function 00A1912D: GetAsyncKeyState.USER32(00000002), ref: 00A1919D

SetTimer.USER32(00000000,00000000,00000028,00A190FC), ref: 00A18AA8

Strings

AutoIt v3 GUI, xrefs: 00A18A20

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 97db2f8ca0241402b78d5e44572eb841ae0a05ad0f853642abc0378bddb37e78
Instruction ID: 14241c0700f324783717bc43bacba3358e1944b3ced2026a4b50ea4f7ae18c76
Opcode Fuzzy Hash: 97db2f8ca0241402b78d5e44572eb841ae0a05ad0f853642abc0378bddb37e78
Instruction Fuzzy Hash: 60B17F71A40209AFDF14DFA8DD55BEE3BB5FB48315F11421AFA16A7290DB34E841CB50

Function 00A60D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A610F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00A61114
Part of subcall function 00A610F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00A60B9B,?,?,?), ref: 00A61120
Part of subcall function 00A610F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00A60B9B,?,?,?), ref: 00A6112F
Part of subcall function 00A610F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00A60B9B,?,?,?), ref: 00A61136
Part of subcall function 00A610F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00A6114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00A60DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00A60E29
GetLengthSid.ADVAPI32(?), ref: 00A60E40
GetAce.ADVAPI32(?,00000000,?), ref: 00A60E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00A60E96
GetLengthSid.ADVAPI32(?), ref: 00A60EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00A60EB5
HeapAlloc.KERNEL32(00000000), ref: 00A60EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00A60EDD
CopySid.ADVAPI32(00000000), ref: 00A60EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00A60F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00A60F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00A60F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A60F6E
HeapFree.KERNEL32(00000000), ref: 00A60F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A60F7E
HeapFree.KERNEL32(00000000), ref: 00A60F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A60F8E
HeapFree.KERNEL32(00000000), ref: 00A60F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00A60FA1
HeapFree.KERNEL32(00000000), ref: 00A60FA8

Part of subcall function 00A61193: GetProcessHeap.KERNEL32(00000008,00A60BB1,?,00000000,?,00A60BB1,?), ref: 00A611A1
Part of subcall function 00A61193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00A60BB1,?), ref: 00A611A8
Part of subcall function 00A61193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00A60BB1,?), ref: 00A611B7

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: b6d637ee7c28f7cf2c801c81a0aca944e319e56542a9be87c6827d48ce69233f
Instruction ID: 6f4b3f874f666e640ae1eb9ca54952497292983d18c029a1e9bc186b401210e0
Opcode Fuzzy Hash: b6d637ee7c28f7cf2c801c81a0aca944e319e56542a9be87c6827d48ce69233f
Instruction Fuzzy Hash: 87716B72A0021AABDF21DFA4DD44FAFBBB8FF05311F144215FA19E6191DB319945CB60

Function 00A8C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A8C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,00A9CC08,00000000,?,00000000,?,?), ref: 00A8C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00A8C5A4
_wcslen.LIBCMT ref: 00A8C5F4
_wcslen.LIBCMT ref: 00A8C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00A8C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00A8C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00A8C84D
RegCloseKey.ADVAPI32(?), ref: 00A8C881
RegCloseKey.ADVAPI32(00000000), ref: 00A8C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00A8C960

Strings

REG_DWORD, xrefs: 00A8C804
REG_EXPAND_SZ, xrefs: 00A8C5CD
REG_MULTI_SZ, xrefs: 00A8C6F5
REG_BINARY, xrefs: 00A8C913
REG_QWORD, xrefs: 00A8C8C3
REG_SZ, xrefs: 00A8C644

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 19a6516873dff072e419f6e2d2035df3cdcfe34fecbbba7115210eb26ce1d2ea
Instruction ID: 41156fcd1c0639a7d5594eebe839888cfa596c031367d82f338b76d1d798b20a
Opcode Fuzzy Hash: 19a6516873dff072e419f6e2d2035df3cdcfe34fecbbba7115210eb26ce1d2ea
Instruction Fuzzy Hash: 841258356042019FDB14EF14D991A2AB7E5EF88724F04889DF89A9B3A2DB31FD41CF91

Function 00A9091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00A909C6
_wcslen.LIBCMT ref: 00A90A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00A90A54
_wcslen.LIBCMT ref: 00A90A8A
_wcslen.LIBCMT ref: 00A90B06
_wcslen.LIBCMT ref: 00A90B81

Part of subcall function 00A1F9F2: _wcslen.LIBCMT ref: 00A1F9FD

Part of subcall function 00A62BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00A62BFA

Strings

UNCHECK, xrefs: 00A90D3E
EXPAND, xrefs: 00A90BF8
EXISTS, xrefs: 00A90B7C, 00A90B97
ISCHECKED, xrefs: 00A90CE1
GETTOTALCOUNT, xrefs: 00A909F2, 00A90A17
GETSELECTED, xrefs: 00A90C4E
GETTEXT, xrefs: 00A90C97
CHECK, xrefs: 00A90A85, 00A90AA0
COLLAPSE, xrefs: 00A90B01, 00A90B1C
SELECT, xrefs: 00A90D11
GETITEMCOUNT, xrefs: 00A90C1E

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 495c734ac68a67ccb732c9940e650a3dca067721cab286c8969361329734b6a3
Instruction ID: a3e3c5f6c445bc474ac77678cbd46397184c5ed9e8e7725c3757bb51b55aebfb
Opcode Fuzzy Hash: 495c734ac68a67ccb732c9940e650a3dca067721cab286c8969361329734b6a3
Instruction Fuzzy Hash: 5EE189362087019FCB14EF28C550D6EB7E1BF98394B15895CF8969B3A2DB30ED85CB81

Function 00A8C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A8B6AE,?,?), ref: 00A8C9B5
_wcslen.LIBCMT ref: 00A8C9F1
_wcslen.LIBCMT ref: 00A8CA68
_wcslen.LIBCMT ref: 00A8CA9E
_wcslen.LIBCMT ref: 00A8CAF9
_wcslen.LIBCMT ref: 00A8CB2F
_wcslen.LIBCMT ref: 00A8CB7F

Strings

HKEY_USERS, xrefs: 00A8CBDF
HKEY_LOCAL_MACHINE, xrefs: 00A8CA62, 00A8CA67
HKCU, xrefs: 00A8CBCE
HKU, xrefs: 00A8CBF0
HKEY_CURRENT_CONFIG, xrefs: 00A8CB79, 00A8CB7E
HKEY_CURRENT_USER, xrefs: 00A8CBBD
HKLM, xrefs: 00A8CA98, 00A8CA9D
HKEY_CLASSES_ROOT, xrefs: 00A8CAF3, 00A8CAF8
HKCR, xrefs: 00A8CB29, 00A8CB2E
HKCC, xrefs: 00A8CBAC

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: c5a1aebcd1fa55c18546e0cb63693d86c83a855054dbf8dbd96f5fcab39ebe75
Instruction ID: 08b00c51d10d24fa96da096fbd39108c10e79e8722bbe412eeb690e236a19bc4
Opcode Fuzzy Hash: c5a1aebcd1fa55c18546e0cb63693d86c83a855054dbf8dbd96f5fcab39ebe75
Instruction Fuzzy Hash: 7B71093260056A8BCB10FF7CDD41ABF73A2AB607B4B110529F8669B284E631CD45CBB0

Function 00A9833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00A9835A
_wcslen.LIBCMT ref: 00A9836E
_wcslen.LIBCMT ref: 00A98391
_wcslen.LIBCMT ref: 00A983B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00A983F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00A95BF2), ref: 00A9844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00A98487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00A984CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00A98501
FreeLibrary.KERNEL32(?), ref: 00A9850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00A9851D
DestroyIcon.USER32(?,?,?,?,?,00A95BF2), ref: 00A9852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00A98549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00A98555

Strings

.dll, xrefs: 00A983AB
.exe, xrefs: 00A98388
.icl, xrefs: 00A98368

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 30159a86830badc8db5311817f1c1524bfb2d8eb06617a4bec3b82cad6dac102
Instruction ID: f11b7503d270f6273388500681dff064d031e796407b5ada5c90b0034aa75695
Opcode Fuzzy Hash: 30159a86830badc8db5311817f1c1524bfb2d8eb06617a4bec3b82cad6dac102
Instruction Fuzzy Hash: 1F61DF71640619BBEF14DF64DC81BBE77A8BF09B21F10461AF815D60D1DF78A980CBA0

Function 00A07778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#comments-end, xrefs: 00A078D9
Bad directive syntax error, xrefs: 00A4519A
#pragma compile, xrefs: 00A077D3
", xrefs: 00A45153
#OnAutoItStartRegister, xrefs: 00A07817
', xrefs: 00A45169
#comments-start, xrefs: 00A0785F, 00A078B1
#requireadmin, xrefs: 00A077FF
#include, xrefs: 00A07847
#cs, xrefs: 00A07873, 00A078C5
#include-once, xrefs: 00A0782F
#notrayicon, xrefs: 00A077E7
Unterminated group of comments, xrefs: 00A4528C
#ce, xrefs: 00A078ED
Cannot parse #include, xrefs: 00A45279

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 2b28440be289ab081041727be33b70c5f956673d42c70cf603118dbbe6ef4915
Instruction ID: 62cfdfa419cf513a3e83cec80ab21a4ec8e4418b9ace0cdeee3524dbdb54f84a
Opcode Fuzzy Hash: 2b28440be289ab081041727be33b70c5f956673d42c70cf603118dbbe6ef4915
Instruction Fuzzy Hash: 3081D171F04609BFDB20AF64ED42FAE37A8AF95340F044425F905AA1D2EB74EA51C7A1

Function 00A73E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00A73EF8
_wcslen.LIBCMT ref: 00A73F03
_wcslen.LIBCMT ref: 00A73F5A
_wcslen.LIBCMT ref: 00A73F98
GetDriveTypeW.KERNEL32(?), ref: 00A73FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00A7401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00A74059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00A74087

Strings

closed, xrefs: 00A73F08, 00A73F2D, 00A73F46, 00A73F7E, 00A73F97
close cd wait, xrefs: 00A74072
wait, xrefs: 00A74044
close, xrefs: 00A73EFE, 00A73F18
open , xrefs: 00A73FE5
set cd door , xrefs: 00A74028
open, xrefs: 00A73F54, 00A73F59
type cdaudio alias cd wait, xrefs: 00A74001

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: e6513775b331b722197d6e6987e2c60cfdd461d21ec163baaff292772aa8cabb
Instruction ID: 97b13fba0d6a6173e603dfc3648fa080196b8c54a74b8fae1a82bdd932055075
Opcode Fuzzy Hash: e6513775b331b722197d6e6987e2c60cfdd461d21ec163baaff292772aa8cabb
Instruction Fuzzy Hash: 1E71D072A042159FC710EF24CD8096AB7F4EF98758F01C92DF59A97291EB30ED46CB92

Function 00A65A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00A65A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00A65A40
SetWindowTextW.USER32(?,?), ref: 00A65A57
GetDlgItem.USER32(?,000003EA), ref: 00A65A6C
SetWindowTextW.USER32(00000000,?), ref: 00A65A72
GetDlgItem.USER32(?,000003E9), ref: 00A65A82
SetWindowTextW.USER32(00000000,?), ref: 00A65A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00A65AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00A65AC3
GetWindowRect.USER32(?,?), ref: 00A65ACC
_wcslen.LIBCMT ref: 00A65B33
SetWindowTextW.USER32(?,?), ref: 00A65B6F
GetDesktopWindow.USER32 ref: 00A65B75
GetWindowRect.USER32(00000000), ref: 00A65B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00A65BD3
GetClientRect.USER32(?,?), ref: 00A65BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00A65C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00A65C2F

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 82023945c0ae4914d8d108f72dc0a6b7733dacf0a84234d6a5f7772c3d2f7748
Instruction ID: 126737e26e0ee25a87fbae65e8606e568a7b8d32559452c43db8f17bb7508738
Opcode Fuzzy Hash: 82023945c0ae4914d8d108f72dc0a6b7733dacf0a84234d6a5f7772c3d2f7748
Instruction Fuzzy Hash: 10716E31A00B09AFDB20DFB8CE85A6EBBF5FF48714F104519E542A25A0DB75E945CB50

Function 00A7FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00A7FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 00A7FE32
LoadCursorW.USER32(00000000,00007F00), ref: 00A7FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 00A7FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 00A7FE53
LoadCursorW.USER32(00000000,00007F01), ref: 00A7FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 00A7FE69
LoadCursorW.USER32(00000000,00007F88), ref: 00A7FE74
LoadCursorW.USER32(00000000,00007F80), ref: 00A7FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 00A7FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 00A7FE95
LoadCursorW.USER32(00000000,00007F85), ref: 00A7FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 00A7FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 00A7FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 00A7FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 00A7FECC
GetCursorInfo.USER32(?), ref: 00A7FEDC
GetLastError.KERNEL32 ref: 00A7FF1E

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 7b8df50588ca4bf4782ede70feddfa8a643122fcbfa93210ae04f05a25e508ab
Instruction ID: f90d3a034d5d60ae6d5320b225ffb9207412475e8e80548609d30f3ff8c70a0c
Opcode Fuzzy Hash: 7b8df50588ca4bf4782ede70feddfa8a643122fcbfa93210ae04f05a25e508ab
Instruction Fuzzy Hash: FF4124B0D083196EDB10DFBA9C8585EBFE8FF04764B50852AE11DEB281DB789901CE91

Function 00A200C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00A200C6

Part of subcall function 00A200ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00AD070C,00000FA0,8B672901,?,?,?,?,00A423B3,000000FF), ref: 00A2011C
Part of subcall function 00A200ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00A423B3,000000FF), ref: 00A20127
Part of subcall function 00A200ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00A423B3,000000FF), ref: 00A20138
Part of subcall function 00A200ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00A2014E
Part of subcall function 00A200ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00A2015C
Part of subcall function 00A200ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00A2016A
Part of subcall function 00A200ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00A20195
Part of subcall function 00A200ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00A201A0

___scrt_fastfail.LIBCMT ref: 00A200E7

Part of subcall function 00A200A3: __onexit.LIBCMT ref: 00A200A9

Strings

api-ms-win-core-synch-l1-2-0.dll, xrefs: 00A20122
WakeAllConditionVariable, xrefs: 00A20162
SleepConditionVariableCS, xrefs: 00A20154
kernel32.dll, xrefs: 00A20133
InitializeConditionVariable, xrefs: 00A20148

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 923c2c500a0c7b819d98ac7c0be7ca923c08a3e7b8ac87259aa9922c5f7b655c
Instruction ID: e21eabcb038a89163e7badacffc25e8e5eadc6cbe580f83b608d845f873de5ab
Opcode Fuzzy Hash: 923c2c500a0c7b819d98ac7c0be7ca923c08a3e7b8ac87259aa9922c5f7b655c
Instruction Fuzzy Hash: 0121D732745B207FEB109BB8BC06F6A73E4FB05B61F100637F806E6692DE6498008A94

Function 00A630F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00A6318D
_wcslen.LIBCMT ref: 00A631F8

Strings

CLASSNN, xrefs: 00A631F3, 00A63204
CLASS, xrefs: 00A63188, 00A631A5
REGEXPCLASS, xrefs: 00A63255, 00A63266
NAME, xrefs: 00A63335, 00A63346
INSTANCE, xrefs: 00A63453
TEXT, xrefs: 00A6347C

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: f18b4c264a1cf30d81a4741b2ff32e8c0e6698344042676f956faa01453d45fc
Instruction ID: fb5b08b1d7123f28d83cd4c7a27cdd863cde679669d52d4ae61b0b02df083d24
Opcode Fuzzy Hash: f18b4c264a1cf30d81a4741b2ff32e8c0e6698344042676f956faa01453d45fc
Instruction Fuzzy Hash: C8E1A333E00526ABCF149F78C851BEEFBB4BF54710F558129E556A7240EF30AE868790

Function 00A744C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,00A9CC08), ref: 00A74527
_wcslen.LIBCMT ref: 00A7453B
_wcslen.LIBCMT ref: 00A74599
_wcslen.LIBCMT ref: 00A745F4
_wcslen.LIBCMT ref: 00A7463F
_wcslen.LIBCMT ref: 00A746A7

Part of subcall function 00A1F9F2: _wcslen.LIBCMT ref: 00A1F9FD

GetDriveTypeW.KERNEL32(?,00AC6BF0,00000061), ref: 00A74743

Strings

fixed, xrefs: 00A74635, 00A7463A
unknown, xrefs: 00A74708
cdrom, xrefs: 00A7458F, 00A74594
removable, xrefs: 00A745EA, 00A745EF
ramdisk, xrefs: 00A746F1
all, xrefs: 00A74531, 00A74536
network, xrefs: 00A7469D, 00A746A2

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: afae2be100ce06ef749d12a3fa56a0ee32bc0bd21e3ff478945663a8bd1223e7
Instruction ID: 7e7e60bb8e244bc2eaf9e351a07a2bb1f9274323bce96b2ef6dd5a8ad661738b
Opcode Fuzzy Hash: afae2be100ce06ef749d12a3fa56a0ee32bc0bd21e3ff478945663a8bd1223e7
Instruction Fuzzy Hash: A0B1D0716083029FC714DF28DD90A6AB7E5AFA9760F50CA2DF49AC7291D730DD44CB92

Function 00A83FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00A9CC08), ref: 00A840BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00A840CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,00A9CC08), ref: 00A840F2
FreeLibrary.KERNEL32(00000000,?,00A9CC08), ref: 00A8413E
StringFromGUID2.OLE32(?,?,00000028,?,00A9CC08), ref: 00A841A8
SysFreeString.OLEAUT32(00000009), ref: 00A84262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00A842C8
SysFreeString.OLEAUT32(?), ref: 00A842F2

Strings

GetModuleHandleExW, xrefs: 00A840C7
kernel32.dll, xrefs: 00A840B6

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: 479e983445c09ad7b7bfc60ea5138397593898fe656fa687be676386eadca6ea
Instruction ID: b9097bcb2430dce99e594a6c22394b266ba3576be19434e8c17e13275d7ac6ce
Opcode Fuzzy Hash: 479e983445c09ad7b7bfc60ea5138397593898fe656fa687be676386eadca6ea
Instruction Fuzzy Hash: F1123D75A0021AEFDB14EF94C884EAEBBB5FF49314F248099F9059B251D731ED46CBA0

Function 00A0326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00AD1990), ref: 00A42F8D
GetMenuItemCount.USER32(00AD1990), ref: 00A4303D
GetCursorPos.USER32(?), ref: 00A43081
SetForegroundWindow.USER32(00000000), ref: 00A4308A
TrackPopupMenuEx.USER32(00AD1990,00000000,?,00000000,00000000,00000000), ref: 00A4309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00A430A9

Strings

0, xrefs: 00A0327D

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: ad72dab62ecfce21a962fb3d5633d53ee416f9236571ac1030fa619ba521aa0c
Instruction ID: cf8555d2fb521d243bb54a87ede5f810da84b5be15942a00a5dda8fe178d8bb5
Opcode Fuzzy Hash: ad72dab62ecfce21a962fb3d5633d53ee416f9236571ac1030fa619ba521aa0c
Instruction Fuzzy Hash: 6171F535640209BEEB21CF64DC49FAABF78FF45364F204216F625AA1E0C7B1A964CB50

Function 00A96CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00A96DEB

Part of subcall function 00A06B57: _wcslen.LIBCMT ref: 00A06B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00A96E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00A96E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00A96E94
DestroyWindow.USER32(?), ref: 00A96EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00A00000,00000000), ref: 00A96EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00A96EFD
GetDesktopWindow.USER32 ref: 00A96F16
GetWindowRect.USER32(00000000), ref: 00A96F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00A96F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00A96F4D

Part of subcall function 00A19944: GetWindowLongW.USER32(?,000000EB), ref: 00A19952

Strings

tooltips_class32, xrefs: 00A96E58, 00A96EDD
0, xrefs: 00A96D98

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: b379330980105531c7f2a19cbb5b88ff9535ba5982cf393b432f8a3b3bd0c76c
Instruction ID: 02cf44a45186eb80375c038aa394c3f3e3cfb80463f5222ab1936a24359f8964
Opcode Fuzzy Hash: b379330980105531c7f2a19cbb5b88ff9535ba5982cf393b432f8a3b3bd0c76c
Instruction Fuzzy Hash: 72715674604244AFDB21CF68D954FBABBE9FF89314F44081EF989872A1DB74A906CB11

Function 00A9911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00A19BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A19BB2

DragQueryPoint.SHELL32(?,?), ref: 00A99147

Part of subcall function 00A97674: ClientToScreen.USER32(?,?), ref: 00A9769A
Part of subcall function 00A97674: GetWindowRect.USER32(?,?), ref: 00A97710
Part of subcall function 00A97674: PtInRect.USER32(?,?,00A98B89), ref: 00A97720

SendMessageW.USER32(?,000000B0,?,?), ref: 00A991B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00A991BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00A991DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00A99225
SendMessageW.USER32(?,000000B0,?,?), ref: 00A9923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00A99255
SendMessageW.USER32(?,000000B1,?,?), ref: 00A99277
DragFinish.SHELL32(?), ref: 00A9927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00A99371

Strings

@GUI_DROPID, xrefs: 00A9929E
@GUI_DRAGID, xrefs: 00A992E9
@GUI_DRAGFILE, xrefs: 00A99320

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 1d863bb03d76f1811a4a10e9ba69f8b739f2faf70a1783aa8ec867cea29bbc05
Instruction ID: b7871a032a43a9a6b6968603f4d6094c2b930c4e65cfa36d91ce228d6774549e
Opcode Fuzzy Hash: 1d863bb03d76f1811a4a10e9ba69f8b739f2faf70a1783aa8ec867cea29bbc05
Instruction Fuzzy Hash: 12618A71208305AFD701DFA4DD85DAFBBE8FF89750F00091EF596961A1DB309A49CB62

Function 00A7C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00A7C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00A7C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00A7C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00A7C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00A7C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00A7C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00A7C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00A7C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00A7C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00A7C5F0
InternetCloseHandle.WININET(00000000), ref: 00A7C5FB

Strings

, xrefs: 00A7C575

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 0964fcd4c30bbe7588568707c60ef0f2394b300e1a8c18ca06f4884e5fe938bc
Instruction ID: 7c3cb4c23895b77348e46a12daf9f7dea79ed77f717e69f1bb325edab3feb819
Opcode Fuzzy Hash: 0964fcd4c30bbe7588568707c60ef0f2394b300e1a8c18ca06f4884e5fe938bc
Instruction Fuzzy Hash: E5512BB1640604BFDB21DFA4CD88AAB7BBCFB08764F00C51EF94A96250DB35E9459B60

Function 00A9856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00A98592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00A985A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00A985AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00A985BA
GlobalLock.KERNEL32(00000000), ref: 00A985C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00A985D7
GlobalUnlock.KERNEL32(00000000), ref: 00A985E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00A985E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00A985F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,00A9FC38,?), ref: 00A98611
GlobalFree.KERNEL32(00000000), ref: 00A98621
GetObjectW.GDI32(?,00000018,?), ref: 00A98641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00A98671
DeleteObject.GDI32(?), ref: 00A98699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00A986AF

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: eb0616e9812d361f23b378f35f575a1469561248b0e99421bd28eae44dcf0e7f
Instruction ID: a4119cd520b732fc07e49e8cc16e0213d8ac4b1230fa4ff903c0e6efad490c43
Opcode Fuzzy Hash: eb0616e9812d361f23b378f35f575a1469561248b0e99421bd28eae44dcf0e7f
Instruction Fuzzy Hash: 6E411975700604AFDB11DFA5DD48EAA7BBCFF89721F108159F905EB260DB349902CB60

Function 00A714BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00A71502
VariantCopy.OLEAUT32(?,?), ref: 00A7150B
VariantClear.OLEAUT32(?), ref: 00A71517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00A715FB
VarR8FromDec.OLEAUT32(?,?), ref: 00A71657
VariantInit.OLEAUT32(?), ref: 00A71708
SysFreeString.OLEAUT32(?), ref: 00A7178C
VariantClear.OLEAUT32(?), ref: 00A717D8
VariantClear.OLEAUT32(?), ref: 00A717E7
VariantInit.OLEAUT32(00000000), ref: 00A71823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00A71625
Default, xrefs: 00A716AF

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: fa3a1460c31b4ebd0866ce78f88862afe56331ce05ff588fc7f9c4a1f7434fa3
Instruction ID: 0351fb896dd781fb6d3e1f2a76c3d057fb773244402461cea81e1b7d3f892b0e
Opcode Fuzzy Hash: fa3a1460c31b4ebd0866ce78f88862afe56331ce05ff588fc7f9c4a1f7434fa3
Instruction Fuzzy Hash: C0D1DD72A00615EBDF189F69E985BB9B7F9BF44704F14C05AE40AAB180DB30EC45DB62

Function 00A8B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00A09CB3: _wcslen.LIBCMT ref: 00A09CBD

Part of subcall function 00A8C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A8B6AE,?,?), ref: 00A8C9B5
Part of subcall function 00A8C998: _wcslen.LIBCMT ref: 00A8C9F1
Part of subcall function 00A8C998: _wcslen.LIBCMT ref: 00A8CA68
Part of subcall function 00A8C998: _wcslen.LIBCMT ref: 00A8CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A8B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00A8B772
RegDeleteValueW.ADVAPI32(?,?), ref: 00A8B80A
RegCloseKey.ADVAPI32(?), ref: 00A8B87E
RegCloseKey.ADVAPI32(?), ref: 00A8B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00A8B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00A8B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 00A8B922
FreeLibrary.KERNEL32(00000000), ref: 00A8B983
RegCloseKey.ADVAPI32(00000000), ref: 00A8B994

Strings

RegDeleteKeyExW, xrefs: 00A8B8FE
advapi32.dll, xrefs: 00A8B8ED

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 1955b49472e2d0fd8d9a2e439f7d8d7258c7d1844d87506d096144436a33db96
Instruction ID: d63a972558fed6909e8bf41c9fba7855d8b9dd7b04c1121be5a5b8f8e0c47097
Opcode Fuzzy Hash: 1955b49472e2d0fd8d9a2e439f7d8d7258c7d1844d87506d096144436a33db96
Instruction Fuzzy Hash: 4CC17E30214201AFD714EF24C495F2ABBE5BF84318F14855CF59A4B2A2CB75ED46CBA2

Function 00A8255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00A825D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00A825E8
CreateCompatibleDC.GDI32(?), ref: 00A825F4
SelectObject.GDI32(00000000,?), ref: 00A82601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00A8266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00A826AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00A826D0
SelectObject.GDI32(?,?), ref: 00A826D8
DeleteObject.GDI32(?), ref: 00A826E1
DeleteDC.GDI32(?), ref: 00A826E8
ReleaseDC.USER32(00000000,?), ref: 00A826F3

Strings

(, xrefs: 00A8268D

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: c4b37b64b4ad4b9cd9a744c52881b96bd537e3bcc9cfcf83560de7ec8e815eb8
Instruction ID: 1e1306cfc9693be822b026aa17600b9b0bd9b3bd5a82e55462cf30454a1187db
Opcode Fuzzy Hash: c4b37b64b4ad4b9cd9a744c52881b96bd537e3bcc9cfcf83560de7ec8e815eb8
Instruction Fuzzy Hash: AD61F375E00219EFCF14DFE8D984AAEBBB5FF48310F20852AE955A7250E770A941CF64

Function 00A3DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00A3DAA1

Part of subcall function 00A3D63C: _free.LIBCMT ref: 00A3D659
Part of subcall function 00A3D63C: _free.LIBCMT ref: 00A3D66B
Part of subcall function 00A3D63C: _free.LIBCMT ref: 00A3D67D
Part of subcall function 00A3D63C: _free.LIBCMT ref: 00A3D68F
Part of subcall function 00A3D63C: _free.LIBCMT ref: 00A3D6A1
Part of subcall function 00A3D63C: _free.LIBCMT ref: 00A3D6B3
Part of subcall function 00A3D63C: _free.LIBCMT ref: 00A3D6C5
Part of subcall function 00A3D63C: _free.LIBCMT ref: 00A3D6D7
Part of subcall function 00A3D63C: _free.LIBCMT ref: 00A3D6E9
Part of subcall function 00A3D63C: _free.LIBCMT ref: 00A3D6FB
Part of subcall function 00A3D63C: _free.LIBCMT ref: 00A3D70D
Part of subcall function 00A3D63C: _free.LIBCMT ref: 00A3D71F
Part of subcall function 00A3D63C: _free.LIBCMT ref: 00A3D731

_free.LIBCMT ref: 00A3DA96

Part of subcall function 00A329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00A3D7D1,00000000,00000000,00000000,00000000,?,00A3D7F8,00000000,00000007,00000000,?,00A3DBF5,00000000), ref: 00A329DE
Part of subcall function 00A329C8: GetLastError.KERNEL32(00000000,?,00A3D7D1,00000000,00000000,00000000,00000000,?,00A3D7F8,00000000,00000007,00000000,?,00A3DBF5,00000000,00000000), ref: 00A329F0

_free.LIBCMT ref: 00A3DAB8
_free.LIBCMT ref: 00A3DACD
_free.LIBCMT ref: 00A3DAD8
_free.LIBCMT ref: 00A3DAFA
_free.LIBCMT ref: 00A3DB0D
_free.LIBCMT ref: 00A3DB1B
_free.LIBCMT ref: 00A3DB26
_free.LIBCMT ref: 00A3DB5E
_free.LIBCMT ref: 00A3DB65
_free.LIBCMT ref: 00A3DB82
_free.LIBCMT ref: 00A3DB9A

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: b93d9865debfbc1a363ab733d278cc2a6938834d255316bd56fe93c788bb87db
Instruction ID: 5a6f6b3f117df63b7113a7ead8bf854b9a67a749510ccf9038109eb62c73cb87
Opcode Fuzzy Hash: b93d9865debfbc1a363ab733d278cc2a6938834d255316bd56fe93c788bb87db
Instruction Fuzzy Hash: DF312732A04705DFEB22AF39FA45B5AB7E9FF40360F154469F459DB191DB31AC808B20

Function 00A6365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00A6369C
_wcslen.LIBCMT ref: 00A636A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00A63797
GetClassNameW.USER32(?,?,00000400), ref: 00A6380C
GetDlgCtrlID.USER32(?), ref: 00A6385D
GetWindowRect.USER32(?,?), ref: 00A63882
GetParent.USER32(?), ref: 00A638A0
ScreenToClient.USER32(00000000), ref: 00A638A7
GetClassNameW.USER32(?,?,00000100), ref: 00A63921
GetWindowTextW.USER32(?,?,00000400), ref: 00A6395D

Strings

%s%u, xrefs: 00A63734

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 0dbe0b79d7e4196d8ab553bb497eac9d7c3fd4e1e68ce7fe8b333a4f092f1efc
Instruction ID: be1fe28d35fc2dbdb7ff8ec8423c5fdd3129afdfe577a07ce30eed5c424c204e
Opcode Fuzzy Hash: 0dbe0b79d7e4196d8ab553bb497eac9d7c3fd4e1e68ce7fe8b333a4f092f1efc
Instruction Fuzzy Hash: 0991B172204706AFDB19DF64C895BEAB7B8FF44350F008529F99AC6190DB30EA46CB91

Function 00A64954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00A64994
GetWindowTextW.USER32(?,?,00000400), ref: 00A649DA
_wcslen.LIBCMT ref: 00A649EB
CharUpperBuffW.USER32(?,00000000), ref: 00A649F7
_wcsstr.LIBVCRUNTIME ref: 00A64A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00A64A64
GetWindowTextW.USER32(?,?,00000400), ref: 00A64A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00A64AE6
GetClassNameW.USER32(?,?,00000400), ref: 00A64B20
GetWindowRect.USER32(?,?), ref: 00A64B8B

Strings

ThumbnailClass, xrefs: 00A64A6F, 00A64AF1

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 13d6cfa761ad8c73ee10433c2f0dd37cb9ca7a18a532e21160e6907900f57342
Instruction ID: c75509d0ea4448aaa1a4badbe9d65717f99de2f5434cb4c5b7da586de3b3ea3b
Opcode Fuzzy Hash: 13d6cfa761ad8c73ee10433c2f0dd37cb9ca7a18a532e21160e6907900f57342
Instruction Fuzzy Hash: 1991EE72104205AFDB04CF54C981BAA7BF8FF88354F04846AFE859A196DB30ED45CBA1

Function 00A98D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A19BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A19BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00A98D5A
GetFocus.USER32 ref: 00A98D6A
GetDlgCtrlID.USER32(00000000), ref: 00A98D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00A98E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00A98ECF
GetMenuItemCount.USER32(?), ref: 00A98EEC
GetMenuItemID.USER32(?,00000000), ref: 00A98EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00A98F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00A98F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00A98FA1

Strings

0, xrefs: 00A98E9F

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 2f698ef00b9ce6ec360ba00245209c79901937ec1e76ad00514e95e152f686d2
Instruction ID: 829ffd7dd2f21bf99732e8e41282d2e2c55e5c6490cd768989d0be47b221ce3d
Opcode Fuzzy Hash: 2f698ef00b9ce6ec360ba00245209c79901937ec1e76ad00514e95e152f686d2
Instruction Fuzzy Hash: 8A81AE71608311AFDF10CF24D984AAB7BE9FF8A764F14091EF98597291DB38D901CBA1

Function 00A6DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00A6DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00A6DC46
_wcslen.LIBCMT ref: 00A6DC50
_wcsstr.LIBVCRUNTIME ref: 00A6DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00A6DCBC

Strings

%u.%u.%u.%u, xrefs: 00A6DD9A
\VarFileInfo\Translation, xrefs: 00A6DCB4
StringFileInfo\, xrefs: 00A6DC8F
04090000, xrefs: 00A6DCF2
DefaultLangCodepage, xrefs: 00A6DD1F

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 14ba7c00f6ca1686776204704c32de2c411b2e422e537cf465c9228448733f5f
Instruction ID: d062fb61ac710704dafddb59b9c2fcd9feb0460107f231b24558612a5e5a1120
Opcode Fuzzy Hash: 14ba7c00f6ca1686776204704c32de2c411b2e422e537cf465c9228448733f5f
Instruction Fuzzy Hash: 1D41F232A40214BADB10BB78ED43EFF77BCEF45760F14046AF900A6182EB749A0187A4

Function 00A8CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00A8CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00A8CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00A8CD48

Part of subcall function 00A8CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00A8CCAA
Part of subcall function 00A8CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00A8CCBD
Part of subcall function 00A8CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00A8CCCF
Part of subcall function 00A8CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00A8CD05
Part of subcall function 00A8CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00A8CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 00A8CCF3

Strings

RegDeleteKeyExW, xrefs: 00A8CCC9
advapi32.dll, xrefs: 00A8CCB8

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: f6d44055cbfeb60f145bedddc85cb6c0b3c4bf68e901ad86c2b36d7669bebdd8
Instruction ID: 99bd824d0e0e7e3a3be4223593a06c78f13877c76b2c76a82845e65774a46ab7
Opcode Fuzzy Hash: f6d44055cbfeb60f145bedddc85cb6c0b3c4bf68e901ad86c2b36d7669bebdd8
Instruction Fuzzy Hash: 803160B1A01129BBDB20EB95DC88EFFBB7CEF45760F000166A905E3150DA749A46DFB0

Function 00A73D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00A73D40
_wcslen.LIBCMT ref: 00A73D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00A73D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00A73DBE
RemoveDirectoryW.KERNEL32(?), ref: 00A73DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00A73E55
CloseHandle.KERNEL32(00000000), ref: 00A73E60
CloseHandle.KERNEL32(00000000), ref: 00A73E6B

Strings

:, xrefs: 00A73D82
\??\%s, xrefs: 00A73D5B
\, xrefs: 00A73D77

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: bce8975ea4260902d3188bfe979235800b84acabe54a4a0990263e245e0602fb
Instruction ID: 495915dd1e2d4a695d0d59a57a969e6c9c5ebaacde8238dabd5bfbf1b90a9d08
Opcode Fuzzy Hash: bce8975ea4260902d3188bfe979235800b84acabe54a4a0990263e245e0602fb
Instruction Fuzzy Hash: E031AF72A00219ABDF20DBA4DC49FEB37BCEF88710F1181B6F509D6061EB7097858B24

Function 00A6E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00A6E6B4

Part of subcall function 00A1E551: timeGetTime.WINMM(?,?,00A6E6D4), ref: 00A1E555

Sleep.KERNEL32(0000000A), ref: 00A6E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00A6E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00A6E727
SetActiveWindow.USER32 ref: 00A6E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00A6E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 00A6E773
Sleep.KERNEL32(000000FA), ref: 00A6E77E
IsWindow.USER32 ref: 00A6E78A
EndDialog.USER32(00000000), ref: 00A6E79B

Strings

BUTTON, xrefs: 00A6E719

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: dd08c2d9353f4eff710039280fccdbd739ed13aa31aed9a2f58e4ada50cda6e3
Instruction ID: d20f40dbfbbb0a2f99c876a8c98ad2a722e1a7828491fcf6d97b1ae7d8384ef2
Opcode Fuzzy Hash: dd08c2d9353f4eff710039280fccdbd739ed13aa31aed9a2f58e4ada50cda6e3
Instruction Fuzzy Hash: 19218CB9341704BFEB01DFE4EC89B263B79FB64758B101826F912821A1DF71AC16DB24

Function 00A6E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00A09CB3: _wcslen.LIBCMT ref: 00A09CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00A6EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00A6EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00A6EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00A6EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00A6EAA7

Strings

alias PlayMe, xrefs: 00A6EA36
status PlayMe mode, xrefs: 00A6EA58
play PlayMe wait, xrefs: 00A6EA91
close PlayMe, xrefs: 00A6EA6E, 00A6EA9B
open , xrefs: 00A6EA0C
play PlayMe, xrefs: 00A6EAA2

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: ca4e316e5b6b387a5ea8eac4a8cfbc89dca79f526ea69fe4f390042879f13c83
Instruction ID: 25407dd89247ddf614e14d7fc89b06a086a35bf1e85877def5e1890f89f75c2b
Opcode Fuzzy Hash: ca4e316e5b6b387a5ea8eac4a8cfbc89dca79f526ea69fe4f390042879f13c83
Instruction Fuzzy Hash: C111A335A5021D79D720E7A5ED4AEFF6A7CFFD1B40F0008297401A20D1EE700905C6B1

Function 00A69F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00A6A012
SetKeyboardState.USER32(?), ref: 00A6A07D
GetAsyncKeyState.USER32(000000A0), ref: 00A6A09D
GetKeyState.USER32(000000A0), ref: 00A6A0B4
GetAsyncKeyState.USER32(000000A1), ref: 00A6A0E3
GetKeyState.USER32(000000A1), ref: 00A6A0F4
GetAsyncKeyState.USER32(00000011), ref: 00A6A120
GetKeyState.USER32(00000011), ref: 00A6A12E
GetAsyncKeyState.USER32(00000012), ref: 00A6A157
GetKeyState.USER32(00000012), ref: 00A6A165
GetAsyncKeyState.USER32(0000005B), ref: 00A6A18E
GetKeyState.USER32(0000005B), ref: 00A6A19C

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 979e907bfcccb5838d2250b9a657059496c3ebae7a48baf91b57433c3f292b0a
Instruction ID: 327eb2e5d6bfa330604bb4215fac8a5d141c4cc6875a1cca5e91d27313d0acf7
Opcode Fuzzy Hash: 979e907bfcccb5838d2250b9a657059496c3ebae7a48baf91b57433c3f292b0a
Instruction Fuzzy Hash: 6C51BB7060478429FB35DBB085117EBBFF59F23340F098599D5C2671C2DA64AE8CCB62

Function 00A65CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00A65CE2
GetWindowRect.USER32(00000000,?), ref: 00A65CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00A65D59
GetDlgItem.USER32(?,00000002), ref: 00A65D69
GetWindowRect.USER32(00000000,?), ref: 00A65D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00A65DCF
GetDlgItem.USER32(?,000003E9), ref: 00A65DDD
GetWindowRect.USER32(00000000,?), ref: 00A65DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00A65E31
GetDlgItem.USER32(?,000003EA), ref: 00A65E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00A65E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00A65E67

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 0749e6f1993c3854a61fcd2787f9f0610b7bd971a7f57f5ae1d19ce74510eca1
Instruction ID: e77a8d21533aeec2de8947995a9c67e67c40b4ee5919fc598e588f8595ba1ae8
Opcode Fuzzy Hash: 0749e6f1993c3854a61fcd2787f9f0610b7bd971a7f57f5ae1d19ce74510eca1
Instruction Fuzzy Hash: 08510C71F00605AFDF18CFA8DD89AAEBBB5EF48310F548129F515E6290DB709E01CB60

Function 00A18BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00A18F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00A18BE8,?,00000000,?,?,?,?,00A18BBA,00000000,?), ref: 00A18FC5

DestroyWindow.USER32(?), ref: 00A18C81
KillTimer.USER32(00000000,?,?,?,?,00A18BBA,00000000,?), ref: 00A18D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00A56973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00A18BBA,00000000,?), ref: 00A569A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00A18BBA,00000000,?), ref: 00A569B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00A18BBA,00000000), ref: 00A569D4
DeleteObject.GDI32(00000000), ref: 00A569E6

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: beff6a349063291c40701f39ec336db2bd4fe24c9535d05a87ef873d6e0f3348
Instruction ID: 67317e849d28b787b8689e03df10be71bfbc3dc56eb7ec4c982b93d51d3d015a
Opcode Fuzzy Hash: beff6a349063291c40701f39ec336db2bd4fe24c9535d05a87ef873d6e0f3348
Instruction Fuzzy Hash: AC618D30602700EFCB25DFA8DA58BA977F1FB40352F54451AE4439B960CB39A9C6DF90

Function 00A19838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00A19944: GetWindowLongW.USER32(?,000000EB), ref: 00A19952

GetSysColor.USER32(0000000F), ref: 00A19862

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: d6f9e3b6141c59f187250bfa8ca5a38e24116c97dcf6f6082334416978f2bd4d
Instruction ID: 850d859686d8e40cbd3b9645b0e65c3963c4a677ca90d8e61e6dc730346bf2ce
Opcode Fuzzy Hash: d6f9e3b6141c59f187250bfa8ca5a38e24116c97dcf6f6082334416978f2bd4d
Instruction Fuzzy Hash: 4641A531204640AFDB209F7C9C94BFA3BA5FB06771F244616F9A29B1E1DB319C82DB11

Function 00A696E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00A4F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00A69717
LoadStringW.USER32(00000000,?,00A4F7F8,00000001), ref: 00A69720

Part of subcall function 00A09CB3: _wcslen.LIBCMT ref: 00A09CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00A4F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00A69742
LoadStringW.USER32(00000000,?,00A4F7F8,00000001), ref: 00A69745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00A69866

Strings

Error: , xrefs: 00A6981D
%s (%d) : ==> %s: %s %s, xrefs: 00A6984A
Line %d:, xrefs: 00A697A0
Line %d (File "%s"):, xrefs: 00A6978F
^ ERROR, xrefs: 00A697FB

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 95c1d222f4ee9a03f381642362a387d2e6fc42cf469f3c0f62b9a3ab4226425d
Instruction ID: 3124b6f19e0d8515ea06305f75044e108b9e8372e9e5992102084a9ee42e51a2
Opcode Fuzzy Hash: 95c1d222f4ee9a03f381642362a387d2e6fc42cf469f3c0f62b9a3ab4226425d
Instruction Fuzzy Hash: 2A41197290020DAADF04EBE0EF86EEFB77CAF55340F500465B60576092EA356F49CB61

Function 00A606DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00A06B57: _wcslen.LIBCMT ref: 00A06B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00A607A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00A607BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00A607DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00A60804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00A6082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00A60837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00A6083C

Strings

\CLSID, xrefs: 00A60724
SOFTWARE\Classes\, xrefs: 00A6070E
\IPC$, xrefs: 00A60784

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 99fbf9da71c8e6ed3806090343cf95a065c21acea194702269401187f89b06c4
Instruction ID: 811b1a488e7ed0f62704bd9ba3890ace53dc28bb2074ae88df3eacbaa83c98af
Opcode Fuzzy Hash: 99fbf9da71c8e6ed3806090343cf95a065c21acea194702269401187f89b06c4
Instruction Fuzzy Hash: B9410672D1062DABDF15EBA4ED85DEEB778BF14350F044169E901A71A1EB30AE44CBA0

Function 00A93F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00A9403B
CreateCompatibleDC.GDI32(00000000), ref: 00A94042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00A94055
SelectObject.GDI32(00000000,00000000), ref: 00A9405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 00A94068
DeleteDC.GDI32(00000000), ref: 00A94072
GetWindowLongW.USER32(?,000000EC), ref: 00A9407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00A94092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 00A9409E

Strings

static, xrefs: 00A93FD3

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: cda233fb7803b7747fd68e3cb44ebad8b36f48ec8e8700d5351c9246f2817b0c
Instruction ID: 56b83cba19b4391d0b2feaffb50152d0f1132b8494b3c63cee493f3473982515
Opcode Fuzzy Hash: cda233fb7803b7747fd68e3cb44ebad8b36f48ec8e8700d5351c9246f2817b0c
Instruction Fuzzy Hash: 28315C32601615BBDF219FA8DC49FDA3BA8EF0D324F110211FA15E61A0DB75D812DB64

Function 00A83C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00A83C5C
CoInitialize.OLE32(00000000), ref: 00A83C8A
CoUninitialize.OLE32 ref: 00A83C94
_wcslen.LIBCMT ref: 00A83D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00A83DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00A83ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00A83F0E
CoGetObject.OLE32(?,00000000,00A9FB98,?), ref: 00A83F2D
SetErrorMode.KERNEL32(00000000), ref: 00A83F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00A83FC4
VariantClear.OLEAUT32(?), ref: 00A83FD8

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 9a07e4523d647cbb45eaeb62e562e6444de4bbeb2c390a6d2583e74a114f7fbf
Instruction ID: 1835ba6173d00249f1d459a11758abf3483f15a850ac1d9b2cbfdc222cbc3878
Opcode Fuzzy Hash: 9a07e4523d647cbb45eaeb62e562e6444de4bbeb2c390a6d2583e74a114f7fbf
Instruction Fuzzy Hash: 1CC147726083059FDB00EF68C98492BBBE9FF89B44F10491DF98A9B251DB31ED45CB52

Function 00A77A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00A77AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00A77B8F
SHGetDesktopFolder.SHELL32(?), ref: 00A77BA3
CoCreateInstance.OLE32(00A9FD08,00000000,00000001,00AC6E6C,?), ref: 00A77BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00A77C74
CoTaskMemFree.OLE32(?,?), ref: 00A77CCC
SHBrowseForFolderW.SHELL32(?), ref: 00A77D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00A77D7A
CoTaskMemFree.OLE32(00000000), ref: 00A77D81
CoTaskMemFree.OLE32(00000000), ref: 00A77DD6
CoUninitialize.OLE32 ref: 00A77DDC

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: fea50bdcfdd57ef61f0d345d8f19042f9ef23fea94cd1d0b5ed7f9820f2eb0c5
Instruction ID: 894ec5bd963e2006e661599cfd2ef875c3c6aaba0f20ef16d8d267d55d5470b3
Opcode Fuzzy Hash: fea50bdcfdd57ef61f0d345d8f19042f9ef23fea94cd1d0b5ed7f9820f2eb0c5
Instruction Fuzzy Hash: F6C10C75A04109AFDB14DFA4C984DAEBBF5FF48314B14C499E81ADB262DB30ED45CB90

Function 00A9541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00A95504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00A95515
CharNextW.USER32(00000158), ref: 00A95544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00A95585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00A9559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00A955AC

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 16a2833d7da388fa96afa19aceef522cb7bad57706c92816d4270e23f9771490
Instruction ID: 13024a49b1d710a05ca93e6470a98a841fdbd9ef793dd114968be1fbc144b51f
Opcode Fuzzy Hash: 16a2833d7da388fa96afa19aceef522cb7bad57706c92816d4270e23f9771490
Instruction Fuzzy Hash: 0C618E35F00608AFDF12DFA4CC869FE7BF9EB45720F108145FA25AA291D7749A81DB60

Function 00A5FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00A5FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 00A5FB08
VariantInit.OLEAUT32(?), ref: 00A5FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00A5FB3A
VariantCopy.OLEAUT32(?,?), ref: 00A5FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00A5FBA1
VariantClear.OLEAUT32(?), ref: 00A5FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 00A5FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00A5FBCC
VariantClear.OLEAUT32(?), ref: 00A5FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00A5FBE9

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 6bce197812369685a7fb19a8b32c652d1ce93815ab229e0156e6a2d4fdc5e06f
Instruction ID: 9fa0e0447b65d0e0604220a28da64d9201241e4b89c6b2e71b7c3989707069cb
Opcode Fuzzy Hash: 6bce197812369685a7fb19a8b32c652d1ce93815ab229e0156e6a2d4fdc5e06f
Instruction Fuzzy Hash: 04416375B00219DFCF00DFA8D8589ADBBB9FF48355F018065F916A7261CB30A946CFA1

Function 00A69C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00A69CA1
GetAsyncKeyState.USER32(000000A0), ref: 00A69D22
GetKeyState.USER32(000000A0), ref: 00A69D3D
GetAsyncKeyState.USER32(000000A1), ref: 00A69D57
GetKeyState.USER32(000000A1), ref: 00A69D6C
GetAsyncKeyState.USER32(00000011), ref: 00A69D84
GetKeyState.USER32(00000011), ref: 00A69D96
GetAsyncKeyState.USER32(00000012), ref: 00A69DAE
GetKeyState.USER32(00000012), ref: 00A69DC0
GetAsyncKeyState.USER32(0000005B), ref: 00A69DD8
GetKeyState.USER32(0000005B), ref: 00A69DEA

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: d426351b89d01621c914e70d93ee634328ca4b3a0a43dd4116e9494aab579a7b
Instruction ID: f415de64eed881740db0a5a63f478825241c78c3ca4b22613fd14c1608f184be
Opcode Fuzzy Hash: d426351b89d01621c914e70d93ee634328ca4b3a0a43dd4116e9494aab579a7b
Instruction Fuzzy Hash: 3141C834604BC9ADFF31D7A4C8043B7BEB8AF11354F04806ADAC6565C2DBB599D8C7A2

Function 00A8055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00A805BC
inet_addr.WSOCK32(?), ref: 00A8061C
gethostbyname.WSOCK32(?), ref: 00A80628
IcmpCreateFile.IPHLPAPI ref: 00A80636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00A806C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00A806E5
IcmpCloseHandle.IPHLPAPI(?), ref: 00A807B9
WSACleanup.WSOCK32 ref: 00A807BF

Strings

Ping, xrefs: 00A80676

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 2d220a690d0bf7d4a7518f36c09dffe45c9a0ce65298249b3dc3fd02a6443665
Instruction ID: 41c4c9b1f84c5c4a3fce10f238f762e4566622e4b5619a7183ab682c66540f60
Opcode Fuzzy Hash: 2d220a690d0bf7d4a7518f36c09dffe45c9a0ce65298249b3dc3fd02a6443665
Instruction Fuzzy Hash: A891BF356086419FD360EF15D988F1ABBE0AF44318F1485A9F46A8B7A2CB70FC49CF91

Function 00A88CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00A88CF3

Part of subcall function 00A68E54: _wcslen.LIBCMT ref: 00A68E77

_wcslen.LIBCMT ref: 00A88D4E
_wcslen.LIBCMT ref: 00A88D9C
_wcslen.LIBCMT ref: 00A88DDC
_wcslen.LIBCMT ref: 00A88E6E

Strings

none, xrefs: 00A88E65, 00A88E6A
cdecl, xrefs: 00A88D48, 00A88D4D
stdcall, xrefs: 00A88DD6, 00A88DDB
winapi, xrefs: 00A88D96, 00A88D9B

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 2e6fe6d7cb1372a8dbe3237206260439b163979259b6cc8077d75b3927f6b230
Instruction ID: 8510f4c99b729652ffacc28e17cf02f91dbb279b30653a8426d81866853d99b3
Opcode Fuzzy Hash: 2e6fe6d7cb1372a8dbe3237206260439b163979259b6cc8077d75b3927f6b230
Instruction Fuzzy Hash: 50519231A001169BCF14EF6CC9409BEB7B5BF64724BA14229E966E72C5DF39DD40C790

Function 00A8372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00A83774
CoUninitialize.OLE32 ref: 00A8377F
CoCreateInstance.OLE32(?,00000000,00000017,00A9FB78,?), ref: 00A837D9
IIDFromString.OLE32(?,?), ref: 00A8384C
VariantInit.OLEAUT32(?), ref: 00A838E4
VariantClear.OLEAUT32(?), ref: 00A83936

Strings

Invalid parameter, xrefs: 00A83865
NULL Pointer assignment, xrefs: 00A8381E
Failed to create object, xrefs: 00A837E4, 00A8389A

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: be470792528afb3b85f47f0c089c44e6e3ef362a9b0ed989328f7026b2f26cac
Instruction ID: 7018fba300ab099831841fb79cd911c315c1f21d257f51268292860661f42b08
Opcode Fuzzy Hash: be470792528afb3b85f47f0c089c44e6e3ef362a9b0ed989328f7026b2f26cac
Instruction Fuzzy Hash: 7E61A072608701AFDB10EF54C948F6ABBE8EF49B10F004849F9859B291D770EE49CB92

Function 00A73388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00A733CF

Part of subcall function 00A09CB3: _wcslen.LIBCMT ref: 00A09CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00A733F0

Strings

Error: , xrefs: 00A734D1
"%s" (%d) : ==> %s:, xrefs: 00A73522
Incorrect parameters to object property !, xrefs: 00A734AB
^ ERROR , xrefs: 00A7349E
Line %d (File "%s"):, xrefs: 00A73443, 00A7345C
"%s" (%d) : ==> %s:%s%s, xrefs: 00A73504

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: d3a555d84bdfda191e0f22ca62a5bb0525467f47ddda9f3756b81be761e47707
Instruction ID: 5731148694e8311748f712b4fcca57f84ee17e47eb6bde5e0a4cfdefcfd9d6c6
Opcode Fuzzy Hash: d3a555d84bdfda191e0f22ca62a5bb0525467f47ddda9f3756b81be761e47707
Instruction Fuzzy Hash: 77518C72900209BADF18EBE0DE46EEEB778AF04340F108465F509760A2EB312F58DB61

Function 00A6B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00A6B5FC
_wcslen.LIBCMT ref: 00A6B608
_wcslen.LIBCMT ref: 00A6B64D
_wcslen.LIBCMT ref: 00A6B68C
_wcslen.LIBCMT ref: 00A6B6C7

Strings

EXISTS, xrefs: 00A6B686, 00A6B68B
KEYS, xrefs: 00A6B647, 00A6B64C
APPEND, xrefs: 00A6B6C1, 00A6B6C6
REMOVE, xrefs: 00A6B602, 00A6B607

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: cdef311ad10b5a6c310a5bc23fa9c239705c074d4ea1192f9ed0ec42aad4462f
Instruction ID: a71f2486e9e38d11412c806ba035eb6320c4098aff64fb071baad5e7121924a7
Opcode Fuzzy Hash: cdef311ad10b5a6c310a5bc23fa9c239705c074d4ea1192f9ed0ec42aad4462f
Instruction Fuzzy Hash: BD41C636A211269BCB209F7DCD905BE77B5AFA0B54B254529E421DB284F731CDC1C7B0

Function 00A75393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00A753A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00A75416
GetLastError.KERNEL32 ref: 00A75420
SetErrorMode.KERNEL32(00000000,READY), ref: 00A754A7

Strings

UNKNOWN, xrefs: 00A75444
READY, xrefs: 00A75460, 00A75468
INVALID, xrefs: 00A75459
READONLY, xrefs: 00A75452
NOTREADY, xrefs: 00A7544B

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 8900d626af7eb4251f435f6c750ff67749e40fe954d1214448b51bde478315c9
Instruction ID: 30eb69f793a96c811293dd9b85b2dd492b0ffca5a6d45a01ede4981d58ea851e
Opcode Fuzzy Hash: 8900d626af7eb4251f435f6c750ff67749e40fe954d1214448b51bde478315c9
Instruction Fuzzy Hash: 40319F35E005049FDB10DF68C984BAABBB5EF05315F14C06AE40ACB292DBB1ED86CB91

Function 00A93C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00A93C79
SetMenu.USER32(?,00000000), ref: 00A93C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A93D10
IsMenu.USER32(?), ref: 00A93D24
CreatePopupMenu.USER32 ref: 00A93D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00A93D5B
DrawMenuBar.USER32 ref: 00A93D63

Strings

F, xrefs: 00A93D4E
0, xrefs: 00A93C54

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: dbc055591fef9f119be17fdda8e753b9cbfae927905568833c362fb66211ef6d
Instruction ID: 8e6ef96ca79e3842608761a78aba21ca8a193d88ba3ead7a37fbd9a54b7c8c19
Opcode Fuzzy Hash: dbc055591fef9f119be17fdda8e753b9cbfae927905568833c362fb66211ef6d
Instruction Fuzzy Hash: 784157BAB01609AFDF14CFA4D894AAA7BF5FF49350F140429F946A7360D730AA11CF94

Function 00A61EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A09CB3: _wcslen.LIBCMT ref: 00A09CBD

Part of subcall function 00A63CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00A63CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00A61F64
GetDlgCtrlID.USER32 ref: 00A61F6F
GetParent.USER32 ref: 00A61F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00A61F8E
GetDlgCtrlID.USER32(?), ref: 00A61F97
GetParent.USER32(?), ref: 00A61FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00A61FAE

Strings

ListBox, xrefs: 00A61F21
ComboBox, xrefs: 00A61EEC

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 4b545d0f90520f81de74a6a89400bbfb9736e0e40f81b54ea6032a203395e508
Instruction ID: c799f24c6a0a48f73369ba95be8ba411515dfb2cf352a2c2910b6e7953ee27e6
Opcode Fuzzy Hash: 4b545d0f90520f81de74a6a89400bbfb9736e0e40f81b54ea6032a203395e508
Instruction Fuzzy Hash: C121BE71E00218BBCF04EFA0DC85EEEBBB8EF15310F004116FA61A72E1DB3959199B60

Function 00A61FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A09CB3: _wcslen.LIBCMT ref: 00A09CBD

Part of subcall function 00A63CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00A63CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00A62043
GetDlgCtrlID.USER32 ref: 00A6204E
GetParent.USER32 ref: 00A6206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00A6206D
GetDlgCtrlID.USER32(?), ref: 00A62076
GetParent.USER32(?), ref: 00A6208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00A6208D

Strings

ListBox, xrefs: 00A62002
ComboBox, xrefs: 00A61FCD

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 6a3aee4facf86f4e7fe013eabfcfc73f9e55e4cee2a91fccaf8b6834e511e4cb
Instruction ID: cdeebe7874f5c7d86295539de7485a82b42d65c30a39bfd11317d497060f6034
Opcode Fuzzy Hash: 6a3aee4facf86f4e7fe013eabfcfc73f9e55e4cee2a91fccaf8b6834e511e4cb
Instruction Fuzzy Hash: 3321D1B5E00618BFDF10EFA0DC85EEEBBB8EF05310F005406FA51A72A1DA795919DB60

Function 00A93A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00A93A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00A93AA0
GetWindowLongW.USER32(?,000000F0), ref: 00A93AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00A93AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00A93B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00A93BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00A93BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00A93BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00A93BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00A93C13

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 2c3c78b7730eab7670622f73fcec4648d7e5a302a7da77240c95bc67b2ed3c6d
Instruction ID: ec772df00d336966dfdffb8a9349d81477c677343382ad101442030fc49babe4
Opcode Fuzzy Hash: 2c3c78b7730eab7670622f73fcec4648d7e5a302a7da77240c95bc67b2ed3c6d
Instruction Fuzzy Hash: 12615B75A00248AFDF10DFA8CD81EEE77F8EB09710F10419AFA15A7292D774AE46DB50

Function 00A6B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00A6B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00A6A1E1,?,00000001), ref: 00A6B165
GetWindowThreadProcessId.USER32(00000000), ref: 00A6B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00A6A1E1,?,00000001), ref: 00A6B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 00A6B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00A6A1E1,?,00000001), ref: 00A6B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00A6A1E1,?,00000001), ref: 00A6B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00A6A1E1,?,00000001), ref: 00A6B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00A6A1E1,?,00000001), ref: 00A6B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00A6A1E1,?,00000001), ref: 00A6B21D

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 584c7c38d9045d09eb397d571fb2a6b650f94d257638a6be37016840eb11a6f8
Instruction ID: d7c230950e2df76e89bcfe3f8f7ce4f546d3ec479de56a481b75a7c79687226d
Opcode Fuzzy Hash: 584c7c38d9045d09eb397d571fb2a6b650f94d257638a6be37016840eb11a6f8
Instruction Fuzzy Hash: D3319172610604BFDF10DFA4DC58BAE7BB9BB51321F108116FA06D61A0DBB49A828F71

Function 00A32C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00A32C94

Part of subcall function 00A329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00A3D7D1,00000000,00000000,00000000,00000000,?,00A3D7F8,00000000,00000007,00000000,?,00A3DBF5,00000000), ref: 00A329DE
Part of subcall function 00A329C8: GetLastError.KERNEL32(00000000,?,00A3D7D1,00000000,00000000,00000000,00000000,?,00A3D7F8,00000000,00000007,00000000,?,00A3DBF5,00000000,00000000), ref: 00A329F0

_free.LIBCMT ref: 00A32CA0
_free.LIBCMT ref: 00A32CAB
_free.LIBCMT ref: 00A32CB6
_free.LIBCMT ref: 00A32CC1
_free.LIBCMT ref: 00A32CCC
_free.LIBCMT ref: 00A32CD7
_free.LIBCMT ref: 00A32CE2
_free.LIBCMT ref: 00A32CED
_free.LIBCMT ref: 00A32CFB

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b0d061ed36a3355f28b214eeb8cb20772df4c788da4a7a1d2fc446e1d8cfb4ba
Instruction ID: f63dc1290b42930180499a3976290828c5e2d28d2da11c0e834d9bcfe3430fbf
Opcode Fuzzy Hash: b0d061ed36a3355f28b214eeb8cb20772df4c788da4a7a1d2fc446e1d8cfb4ba
Instruction Fuzzy Hash: E511C876100118BFCB02EF54EA82EDD7BA5FF45350F4144A5FA489F232DA31EE509B90

Function 00A77DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00A77FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00A77FC1
GetFileAttributesW.KERNEL32(?), ref: 00A77FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00A78005
SetCurrentDirectoryW.KERNEL32(?), ref: 00A78017
SetCurrentDirectoryW.KERNEL32(?), ref: 00A78060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00A780B0

Strings

*.*, xrefs: 00A78066

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 9be1dc4fc16b6834a89ac52d925e4977cf09fe5f113db30e09872127ac8666b7
Instruction ID: f031a54469ca3901bacdffb5334705ea7accf4969f27e5d4ea3528d952291511
Opcode Fuzzy Hash: 9be1dc4fc16b6834a89ac52d925e4977cf09fe5f113db30e09872127ac8666b7
Instruction Fuzzy Hash: E5818E725082059BDB20EF14CD449AEB3E8BF88714F54CC6EF889D7250EB75ED498B92

Function 00A05BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00A05C7A

Part of subcall function 00A05D0A: GetClientRect.USER32(?,?), ref: 00A05D30
Part of subcall function 00A05D0A: GetWindowRect.USER32(?,?), ref: 00A05D71
Part of subcall function 00A05D0A: ScreenToClient.USER32(?,?), ref: 00A05D99

GetDC.USER32 ref: 00A446F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00A44708
SelectObject.GDI32(00000000,00000000), ref: 00A44716
SelectObject.GDI32(00000000,00000000), ref: 00A4472B
ReleaseDC.USER32(?,00000000), ref: 00A44733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00A447C4

Strings

U, xrefs: 00A44693

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 624c3f43575704ddf606d20ffb04043f398a703dfb3eedfa7bd9cdaf72957d41
Instruction ID: ce9e6a25329dfd95562b047e3a94f66e4d293d400e93ba0d6dc75c3ff4390a94
Opcode Fuzzy Hash: 624c3f43575704ddf606d20ffb04043f398a703dfb3eedfa7bd9cdaf72957d41
Instruction Fuzzy Hash: 6D71F239900209EFDF21CF64C984BBA7BB5FF8A361F14426AED565A1A6C7309C42DF50

Function 00A7359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00A735E4

Part of subcall function 00A09CB3: _wcslen.LIBCMT ref: 00A09CBD

LoadStringW.USER32(00AD2390,?,00000FFF,?), ref: 00A7360A

Strings

Error: , xrefs: 00A736EF
"%s" (%d) : ==> %s:, xrefs: 00A73742
Line %d (File "%s"):, xrefs: 00A7366B
"%s" (%d) : ==> %s:%s%s, xrefs: 00A73724
^ ERROR, xrefs: 00A736C9

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 98779ed92ec2622d1902668ae16f9c9b81535d234d403c46ab90dc3df2959df0
Instruction ID: 00b9c13f7fb023a03847540edde7c6266948f02ceecb947ddcaff204aee5b1e7
Opcode Fuzzy Hash: 98779ed92ec2622d1902668ae16f9c9b81535d234d403c46ab90dc3df2959df0
Instruction Fuzzy Hash: 1A516F72D00209BADF14EBE0DE42EEEBB78AF14340F148125F105761A2DB311B99DF61

Function 00A98B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A19BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A19BB2

Part of subcall function 00A1912D: GetCursorPos.USER32(?), ref: 00A19141
Part of subcall function 00A1912D: ScreenToClient.USER32(00000000,?), ref: 00A1915E
Part of subcall function 00A1912D: GetAsyncKeyState.USER32(00000001), ref: 00A19183
Part of subcall function 00A1912D: GetAsyncKeyState.USER32(00000002), ref: 00A1919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00A98B6B
ImageList_EndDrag.COMCTL32 ref: 00A98B71
ReleaseCapture.USER32 ref: 00A98B77
SetWindowTextW.USER32(?,00000000), ref: 00A98C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00A98C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00A98CFF

Strings

@GUI_DROPID, xrefs: 00A98C51
@GUI_DRAGFILE, xrefs: 00A98C9A

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 456204313ce947f3d5ada9f8d07ed2e9496d870f36666288730f5663f3f7620f
Instruction ID: 6b52cb09cc722e41a4de43cabfd8c0c1703a6bc75bd4f7e0d38e495d3017869c
Opcode Fuzzy Hash: 456204313ce947f3d5ada9f8d07ed2e9496d870f36666288730f5663f3f7620f
Instruction Fuzzy Hash: 5E519B71205304AFDB00DF64DDA6FAA77E4FB89710F40062EF952A72E2CB749945CB62

Function 00A7C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00A7C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00A7C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00A7C2CA
GetLastError.KERNEL32 ref: 00A7C322
SetEvent.KERNEL32(?), ref: 00A7C336
InternetCloseHandle.WININET(00000000), ref: 00A7C341

Strings

, xrefs: 00A7C2BB

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 4efc83bc1c382d9558279fff40394961be4762cb7ddba3cae2d9c587f92dcf2d
Instruction ID: 85c445c5130e58e5eed64a80c1e922d3d60c776f7bc82826926fbb07859fb2e6
Opcode Fuzzy Hash: 4efc83bc1c382d9558279fff40394961be4762cb7ddba3cae2d9c587f92dcf2d
Instruction Fuzzy Hash: E2317CB1600708AFD721DFA48D88AABBBFCEB49764F10C51EF44A97201DB34DD059B60

Function 00A6989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00A43AAF,?,?,Bad directive syntax error,00A9CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00A698BC
LoadStringW.USER32(00000000,?,00A43AAF,?), ref: 00A698C3

Part of subcall function 00A09CB3: _wcslen.LIBCMT ref: 00A09CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00A69987

Strings

Error: , xrefs: 00A69955
., xrefs: 00A6996D
%s (%d) : ==> %s.: %s %s, xrefs: 00A698F1
Line %d:, xrefs: 00A69912
Line %d (File "%s"):, xrefs: 00A6992D

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: d55071eb29c262fedb23cb059c732db44e8c78664b6f08667ec86865b0c9275b
Instruction ID: e9f130f58cf4b7144eb115845bfbc489f03dd62c2fb8fed6cd082cbf5391a036
Opcode Fuzzy Hash: d55071eb29c262fedb23cb059c732db44e8c78664b6f08667ec86865b0c9275b
Instruction Fuzzy Hash: A2217A3290021EBBCF15EF90DE46EEE7779BF18300F04486AF515660A2EB31AA58DB11

Function 00A6209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00A620AB
GetClassNameW.USER32(00000000,?,00000100), ref: 00A620C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00A6214D

Strings

smallicons, xrefs: 00A62115
largeicons, xrefs: 00A620E1
list, xrefs: 00A6212F
SHELLDLL_DefView, xrefs: 00A620CC
details, xrefs: 00A620FB

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 4c073ca017b2b316b0b641177e972f275c1316d3298877a72835fa080a9ec534
Instruction ID: 917c8d32b2ce013f17daa9ad6c27f2523eda794005726e48854c267f4a548332
Opcode Fuzzy Hash: 4c073ca017b2b316b0b641177e972f275c1316d3298877a72835fa080a9ec534
Instruction Fuzzy Hash: 74110A7668CB16B9F601A334EC06FE677BCDB16764B21022AFB04A90D1FE616C425714

Function 00A38D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f32ee3d99bd697cdcb4881789862ee2055c8d8b4312bd64be51555061ae2b79b
Instruction ID: 460cc1d7360a4cddbea7e3bbe87664c50a6ceb60a2708565a4c5bd7a25c43d02
Opcode Fuzzy Hash: f32ee3d99bd697cdcb4881789862ee2055c8d8b4312bd64be51555061ae2b79b
Instruction Fuzzy Hash: 0AC1D174A04349AFDF15DFECD841BAEBBB0AF0A310F1441A9F455A7392CB749942CB61

Function 00A3CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00A3CEB7
_free.LIBCMT ref: 00A3CF22
_free.LIBCMT ref: 00A3CF48
_free.LIBCMT ref: 00A3CF71
_free.LIBCMT ref: 00A3CFA9
_free.LIBCMT ref: 00A3CFDA
_free.LIBCMT ref: 00A3D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00A3D09C
_free.LIBCMT ref: 00A3D0B5

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: b848943c96ae5c08b512923163016531c1ca011d3679ed8e6619ea6049bf8015
Instruction ID: 32ea380b144df05b93af683a140d50f37fba02456bf7eff2906e518cc65e07d7
Opcode Fuzzy Hash: b848943c96ae5c08b512923163016531c1ca011d3679ed8e6619ea6049bf8015
Instruction Fuzzy Hash: E1612871905310AFDB25AFB4AD81BAE7BA6EF06330F14416EF945B7281E7329D01C790

Function 00A950D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00A95186
ShowWindow.USER32(?,00000000), ref: 00A951C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 00A951CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 00A951D1

Part of subcall function 00A96FBA: DeleteObject.GDI32(00000000), ref: 00A96FE6

GetWindowLongW.USER32(?,000000F0), ref: 00A9520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00A9521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00A9524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00A95287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00A95296

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 179bd0ac850ef5fd047429b463b85ad2b6043579b706ddb0bcdc9180cd190a21
Instruction ID: 5434ca3c22c8594f17a5b87d614c1c94c42b4b67a96a01d72c8149e061e674fd
Opcode Fuzzy Hash: 179bd0ac850ef5fd047429b463b85ad2b6043579b706ddb0bcdc9180cd190a21
Instruction Fuzzy Hash: 11518C34F51A08BEEF26AF74CC4BBD93BE5AB05321F244212F6159A2E0C775A981DB41

Function 00A18B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00A56890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00A568A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00A568B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00A568D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00A568F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00A18874,00000000,00000000,00000000,000000FF,00000000), ref: 00A56901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00A5691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00A18874,00000000,00000000,00000000,000000FF,00000000), ref: 00A5692D

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 02ac7af4242c4a5a5ee5aea4c87f3a038786386a2e65df8340db10bb8a8f6a3b
Instruction ID: 2bdee21cfd805c39d9f2373f934481f260ce4dae787eec7b21d2e409fb1ac0fb
Opcode Fuzzy Hash: 02ac7af4242c4a5a5ee5aea4c87f3a038786386a2e65df8340db10bb8a8f6a3b
Instruction Fuzzy Hash: 9D51B6B0A04209EFDB20CF64CC95FAA3BB6FF58760F104529F906972A0DB74E991DB50

Function 00A7C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00A7C182
GetLastError.KERNEL32 ref: 00A7C195
SetEvent.KERNEL32(?), ref: 00A7C1A9

Part of subcall function 00A7C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00A7C272
Part of subcall function 00A7C253: GetLastError.KERNEL32 ref: 00A7C322
Part of subcall function 00A7C253: SetEvent.KERNEL32(?), ref: 00A7C336
Part of subcall function 00A7C253: InternetCloseHandle.WININET(00000000), ref: 00A7C341

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: ea6c592f4b7d4d9c4ce365c95d84392c3f805e551d7a7106a96a8d859d6973bf
Instruction ID: 26ca5a32475109051999b190a084497b50dda11ed329cc31bef1f0ba47f53888
Opcode Fuzzy Hash: ea6c592f4b7d4d9c4ce365c95d84392c3f805e551d7a7106a96a8d859d6973bf
Instruction Fuzzy Hash: C6318371200B01AFDB21AFE5DD44AA7BBF8FF14320B50C52EF55A86611DB30E9159BA0

Function 00A625A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A63A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00A63A57
Part of subcall function 00A63A3D: GetCurrentThreadId.KERNEL32 ref: 00A63A5E
Part of subcall function 00A63A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00A625B3), ref: 00A63A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 00A625BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00A625DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00A625DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 00A625E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00A62601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00A62605
MapVirtualKeyW.USER32(00000025,00000000), ref: 00A6260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00A62623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00A62627

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 88b4c7b79d334dad63573e2a9b1019cd57655eb5faa928f16e3b065dcdd19be6
Instruction ID: 22c968a20c34abd9f8b7063c80094a6d13e8831179a5e4205f09c022ab16f744
Opcode Fuzzy Hash: 88b4c7b79d334dad63573e2a9b1019cd57655eb5faa928f16e3b065dcdd19be6
Instruction Fuzzy Hash: 4801D831390A20BBFB10A7A9DC8AF593F69DF5EB61F100012F314AE0D1CDE21445DA69

Function 00A61803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00A61449,?,?,00000000), ref: 00A6180C
HeapAlloc.KERNEL32(00000000,?,00A61449,?,?,00000000), ref: 00A61813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00A61449,?,?,00000000), ref: 00A61828
GetCurrentProcess.KERNEL32(?,00000000,?,00A61449,?,?,00000000), ref: 00A61830
DuplicateHandle.KERNEL32(00000000,?,00A61449,?,?,00000000), ref: 00A61833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00A61449,?,?,00000000), ref: 00A61843
GetCurrentProcess.KERNEL32(00A61449,00000000,?,00A61449,?,?,00000000), ref: 00A6184B
DuplicateHandle.KERNEL32(00000000,?,00A61449,?,?,00000000), ref: 00A6184E
CreateThread.KERNEL32(00000000,00000000,00A61874,00000000,00000000,00000000), ref: 00A61868

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: c0b5cd1073dcb150cdf839df938633ee648268659bd6208016f96b559d461ad8
Instruction ID: 0f9539326aa416451551572a91ad027f5d12c64b39597cb6b12ff317fa1de331
Opcode Fuzzy Hash: c0b5cd1073dcb150cdf839df938633ee648268659bd6208016f96b559d461ad8
Instruction Fuzzy Hash: 4601A8B5340708BFEA10EBA5DD4AF6B7BACEB89B11F504512FA05DB1A1CA7098018B34

Function 00A8A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00A6D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00A6D501
Part of subcall function 00A6D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00A6D50F
Part of subcall function 00A6D4DC: CloseHandle.KERNELBASE(00000000), ref: 00A6D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00A8A16D
GetLastError.KERNEL32 ref: 00A8A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00A8A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 00A8A268
GetLastError.KERNEL32(00000000), ref: 00A8A273
CloseHandle.KERNEL32(00000000), ref: 00A8A2C4

Strings

SeDebugPrivilege, xrefs: 00A8A18F

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 66449d2677d604610e5645cffd1df7eb49455bc33414598a6a24eb695c4af02c
Instruction ID: 3fda9390ebbb5054ee12bd9a3c6751b9113b9df887736ef60681faac84fca099
Opcode Fuzzy Hash: 66449d2677d604610e5645cffd1df7eb49455bc33414598a6a24eb695c4af02c
Instruction Fuzzy Hash: DF61C3702046429FE720EF18C494F56BBE1AF54318F18858DE4664F7A3DB76EC45CB92

Function 00A93886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00A93925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00A9393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00A93954
_wcslen.LIBCMT ref: 00A93999
SendMessageW.USER32(?,00001057,00000000,?), ref: 00A939C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00A939F4

Strings

SysListView32, xrefs: 00A938F7

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: a0550c0735e3b0daf6030af93a1700800689b7114b7973fc35e5f6644207bd0e
Instruction ID: 9787f35fb649b06185798f6fdaf07f34df19b13052bce25c5313b8f2765374ed
Opcode Fuzzy Hash: a0550c0735e3b0daf6030af93a1700800689b7114b7973fc35e5f6644207bd0e
Instruction Fuzzy Hash: 52418372A00219ABEF21DFA4CC45BEE7BF9EF08354F100526F959E7281D7759980CB90

Function 00A6BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A6BCFD
IsMenu.USER32(00000000), ref: 00A6BD1D
CreatePopupMenu.USER32 ref: 00A6BD53
GetMenuItemCount.USER32(00F55060), ref: 00A6BDA4
InsertMenuItemW.USER32(00F55060,?,00000001,00000030), ref: 00A6BDCC

Strings

0, xrefs: 00A6BCA8
2, xrefs: 00A6BD37

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 2ad97aa582ba17e054992a6ef28f26e582d188cb80f8aba213eda444b86293cb
Instruction ID: baaef7fb8a66a89a68a344589a70706ed3dc73afd86f2ca643db4e5fd87ec82c
Opcode Fuzzy Hash: 2ad97aa582ba17e054992a6ef28f26e582d188cb80f8aba213eda444b86293cb
Instruction Fuzzy Hash: 5751AF70A10205EBDF21DFA8D984BAEBBF8BF45324F14426AE851DB291D7709981CB71

Function 00A6C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00A6C913

Strings

stop, xrefs: 00A6C8E4
blank, xrefs: 00A6C895
info, xrefs: 00A6C8B4
question, xrefs: 00A6C8CC
warning, xrefs: 00A6C8FC

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: b7c24f64875999f9b16a3ba3960936f1e5e5c18c125eac7c7156952d096b03ad
Instruction ID: 06da8e4084aedd268a0921de97156fcc1025e23335fc8b809f7504a8f9a42658
Opcode Fuzzy Hash: b7c24f64875999f9b16a3ba3960936f1e5e5c18c125eac7c7156952d096b03ad
Instruction Fuzzy Hash: 4511B733689706BAE715DB54AC82DBA67BCDF19774B60043FF544A7282E7B05E005264

Function 00A6DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00A6DE42
gethostname.WSOCK32(?,00000100), ref: 00A6DE5C
gethostbyname.WSOCK32(?), ref: 00A6DE69
inet_ntoa.WSOCK32(?), ref: 00A6DEAB
_strcat.LIBCMT ref: 00A6DEB9
WSACleanup.WSOCK32 ref: 00A6DEDE

Strings

0.0.0.0, xrefs: 00A6DE87

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: a80a2312e38c397d0b1ecafd00962a5ee7f79d2a0345f1a9986a24edd557c7d2
Instruction ID: 971a7e5abc011dc7ba39e423440b05414e094c37137c2bbe25a3c90eaed40b68
Opcode Fuzzy Hash: a80a2312e38c397d0b1ecafd00962a5ee7f79d2a0345f1a9986a24edd557c7d2
Instruction Fuzzy Hash: E611EC71A04114BFCB20EB64DD4AEDE77BCDF15761F01017AF545EA091EFB18A818A90

Function 00A99F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A19BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A19BB2

GetSystemMetrics.USER32(0000000F), ref: 00A99FC7
GetSystemMetrics.USER32(0000000F), ref: 00A99FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00A9A224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00A9A242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00A9A263
ShowWindow.USER32(00000003,00000000), ref: 00A9A282
InvalidateRect.USER32(?,00000000,00000001), ref: 00A9A2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 00A9A2CA

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 5145326515d142f4760cfc23eb5856d0e87aef73132a300abf72a367a495aec6
Instruction ID: 86367eb627fa2c222d937f4489209a0aa8343cce1f4ae110e805f794fda200e7
Opcode Fuzzy Hash: 5145326515d142f4760cfc23eb5856d0e87aef73132a300abf72a367a495aec6
Instruction Fuzzy Hash: F9B18831600215ABDF14CF68C9857EE7BF2BF54711F18816AEC499F2A5DB31A940CBA1

Function 00A6ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00A6ED2A
_wcslen.LIBCMT ref: 00A6ED3B
_wcslen.LIBCMT ref: 00A6ED79
_wcslen.LIBCMT ref: 00A6EDAF
_wcslen.LIBCMT ref: 00A6EDDF
_wcslen.LIBCMT ref: 00A6EDEF
_wcslen.LIBCMT ref: 00A6EE2B
_wcslen.LIBCMT ref: 00A6EE5A

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 4e31d4b62ddb6b6773933e03fab089386edf7938c3bb29773dc879824e70820c
Instruction ID: 84eddd4972638356ba3da74961b31db1ec33c1ca38a0a7b2ba573692e1e93838
Opcode Fuzzy Hash: 4e31d4b62ddb6b6773933e03fab089386edf7938c3bb29773dc879824e70820c
Instruction Fuzzy Hash: 22419375C10228B5DB11EBF8988A9CFB7BCAF49710F508472E528E3122FB34E255C3A5

Function 00A1F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00A5682C,00000004,00000000,00000000), ref: 00A1F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00A5682C,00000004,00000000,00000000), ref: 00A5F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00A5682C,00000004,00000000,00000000), ref: 00A5F454

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 7cfbf87594aebe2d03dba47be73a99596757e19ab945d96f9b7c193a41e2639f
Instruction ID: e6e4e121fb8258a03ac338f77976bb4e8cb36372f7fdb498ef0bd268193d6d05
Opcode Fuzzy Hash: 7cfbf87594aebe2d03dba47be73a99596757e19ab945d96f9b7c193a41e2639f
Instruction Fuzzy Hash: 78414B312086C0BFD738EB79CD887AA7BA1BB46331F58443DE49756560D631A8C6CB10

Function 00A92D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00A92D1B
GetDC.USER32(00000000), ref: 00A92D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00A92D2E
ReleaseDC.USER32(00000000,00000000), ref: 00A92D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00A92D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00A92D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00A95A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00A92DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00A92DE1

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: ac64b8987e6ad8d1c20f0cae51fec2cd3eccdf4599526111dded7472a65804a9
Instruction ID: edd99ada9995e53179ef94e937606816a25cf7a950baea29c25415e54404ae02
Opcode Fuzzy Hash: ac64b8987e6ad8d1c20f0cae51fec2cd3eccdf4599526111dded7472a65804a9
Instruction Fuzzy Hash: BB317C72201614BFEF118F90CC8AFEB3BA9EF09725F044056FE089A291CA759C51CBB4

Function 00A65622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00A65637
_memcmp.LIBVCRUNTIME ref: 00A65659
_memcmp.LIBVCRUNTIME ref: 00A65671
_memcmp.LIBVCRUNTIME ref: 00A65684
_memcmp.LIBVCRUNTIME ref: 00A6569E
_memcmp.LIBVCRUNTIME ref: 00A656B1
_memcmp.LIBVCRUNTIME ref: 00A656C9
_memcmp.LIBVCRUNTIME ref: 00A656E4

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: db6051be97278971d2af9887a241519484ed1748319bf4d6ff3f14053a3d9226
Instruction ID: 4ade12e7f47ab12d75ef01133c44fd905f6deaa22368273b871fadf82fbda4c2
Opcode Fuzzy Hash: db6051be97278971d2af9887a241519484ed1748319bf4d6ff3f14053a3d9226
Instruction Fuzzy Hash: 2A219275F40A197BD6149635EF82FBA33BDAE20394F484430FD04AE681F720ED20C5A5

Function 00A84FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00A85007
NULL Pointer assignment, xrefs: 00A8502E, 00A85383

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 08e9956aed7d8ab2884441a84125ddd3859df567bedd9ff522da4ba040e37524
Instruction ID: a98c2c0ef161a9bd65158b6fecdd284f28ef5b5cb17912b940d9f50cda3abbae
Opcode Fuzzy Hash: 08e9956aed7d8ab2884441a84125ddd3859df567bedd9ff522da4ba040e37524
Instruction Fuzzy Hash: E2D1BD75E0060AAFDF10EFA8C894BAEB7B5FF48354F148569E915AB280E770DD41CB90

Function 00A41522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00A417FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 00A415CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00A417FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00A41651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00A417FB,?,00A417FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00A416E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00A417FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00A416FB

Part of subcall function 00A33820: RtlAllocateHeap.NTDLL(00000000,?,00AD1444,?,00A1FDF5,?,?,00A0A976,00000010,00AD1440,00A013FC,?,00A013C6,?,00A01129), ref: 00A33852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00A417FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00A41777
__freea.LIBCMT ref: 00A417A2
__freea.LIBCMT ref: 00A417AE

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 324af7965aadba3d07f58f04248c28a3435649c7fc511b4c66c326f3640a2242
Instruction ID: 56f286b85454d15c56efd9267201aca7d60efa01ddd36b00d69c89fd09a36f3d
Opcode Fuzzy Hash: 324af7965aadba3d07f58f04248c28a3435649c7fc511b4c66c326f3640a2242
Instruction Fuzzy Hash: F391B27AE002169EDF208FA4C981AEEBBB5AFC9350F184659F805E7141EB35DD81CB61

Function 00A84523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00A84648
VariantInit.OLEAUT32(?), ref: 00A84749
VariantClear.OLEAUT32(?), ref: 00A84753
VariantClear.OLEAUT32(?), ref: 00A847B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 00A845D8, 00A84706, 00A847BE
Incorrect Object type in FOR..IN loop, xrefs: 00A8472C

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 01886c4e7729462dba65acbf9cf49962ec774766f5f473c5537733629ae0aab6
Instruction ID: bbe24ec0a9bb558ff49101f9469e3b6c2cf229161988cbead4b3a9efb0af268d
Opcode Fuzzy Hash: 01886c4e7729462dba65acbf9cf49962ec774766f5f473c5537733629ae0aab6
Instruction Fuzzy Hash: 3B917271A0021AAFDF24DFA5C844FAEBBB8EF4A714F108569F515AB280D7749941CFA0

Function 00A71187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00A7125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00A71284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00A712A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00A712D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00A7135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00A713C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00A71430

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 37bc00da856cca482e42e7c354bd0a981b254096afa1c064a88e539754126ada
Instruction ID: 8b99ec0e8ee5cf9a43073f09f3927062846b0be19d616ca37d318e1c4c542a85
Opcode Fuzzy Hash: 37bc00da856cca482e42e7c354bd0a981b254096afa1c064a88e539754126ada
Instruction Fuzzy Hash: F491AE75A00219AFDB00DFA8D884BBEB7F5FF45325F14C029E958EB292D774A941CB90

Function 00A1948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: f987467818002fba8f9c7cb93d18c56012f0f29d658929f6dd4dd4c56a4eac74
Instruction ID: 6156616d4041a3cb2eaa542d907c0222be5da6fff59dae446244282a81a8e96a
Opcode Fuzzy Hash: f987467818002fba8f9c7cb93d18c56012f0f29d658929f6dd4dd4c56a4eac74
Instruction Fuzzy Hash: 5B913871D40219EFCB10CFA9CC84AEEBBB9FF49320F148155E915B7251D774AA86CB60

Function 00A83947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00A8396B
CharUpperBuffW.USER32(?,?), ref: 00A83A7A
_wcslen.LIBCMT ref: 00A83A8A
VariantClear.OLEAUT32(?), ref: 00A83C1F

Part of subcall function 00A70CDF: VariantInit.OLEAUT32(00000000), ref: 00A70D1F
Part of subcall function 00A70CDF: VariantCopy.OLEAUT32(?,?), ref: 00A70D28
Part of subcall function 00A70CDF: VariantClear.OLEAUT32(?), ref: 00A70D34

Strings

AUTOIT.ERROR, xrefs: 00A83A80, 00A83A85
Incorrect Parameter format, xrefs: 00A839A6, 00A83BA1

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 913cf339f0f5b954830bbd5aa90b92bb70798925a274531fa1485ab6611e92be
Instruction ID: e51aa12b5e6165b8df376e4dea182d164ec84b76dfb788267dd6220ec88bd356
Opcode Fuzzy Hash: 913cf339f0f5b954830bbd5aa90b92bb70798925a274531fa1485ab6611e92be
Instruction Fuzzy Hash: 8B917A756083059FCB04EF24C58496AB7E4FF88714F14882DF88A9B351DB31EE45CB92

Function 00A84BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00A6000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00A5FF41,80070057,?,?,?,00A6035E), ref: 00A6002B
Part of subcall function 00A6000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00A5FF41,80070057,?,?), ref: 00A60046
Part of subcall function 00A6000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00A5FF41,80070057,?,?), ref: 00A60054
Part of subcall function 00A6000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00A5FF41,80070057,?), ref: 00A60064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00A84C51
_wcslen.LIBCMT ref: 00A84D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00A84DCF
CoTaskMemFree.OLE32(?), ref: 00A84DDA

Strings

NULL Pointer assignment, xrefs: 00A84E23, 00A84E52

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 2d71f9b6c9df78f6cecaf1fbb946e7453229db4f1bc3f6ec0e59a23a07da0cc5
Instruction ID: 75db48bb9f3113934378397d9fd1dd77965e87cf24d312e4bdeb255a95d91de5
Opcode Fuzzy Hash: 2d71f9b6c9df78f6cecaf1fbb946e7453229db4f1bc3f6ec0e59a23a07da0cc5
Instruction Fuzzy Hash: 0C912871D0021DAFDF14EFA4D891EEEB7B8BF08314F10816AE915A7291EB309A45CF60

Function 00A920FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00A92183
GetMenuItemCount.USER32(00000000), ref: 00A921B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00A921DD
_wcslen.LIBCMT ref: 00A92213
GetMenuItemID.USER32(?,?), ref: 00A9224D
GetSubMenu.USER32(?,?), ref: 00A9225B

Part of subcall function 00A63A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00A63A57
Part of subcall function 00A63A3D: GetCurrentThreadId.KERNEL32 ref: 00A63A5E
Part of subcall function 00A63A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00A625B3), ref: 00A63A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00A922E3

Part of subcall function 00A6E97B: Sleep.KERNEL32 ref: 00A6E9F3

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: fcdffca7db8df33b7b7539d2e36e101c6c8a473b97f09d84dbbc2c24d7aef3c4
Instruction ID: 110bff2a614c5263ff00f18c30f58a32718f75f61bdd6adaeaf9225aa05c50e6
Opcode Fuzzy Hash: fcdffca7db8df33b7b7539d2e36e101c6c8a473b97f09d84dbbc2c24d7aef3c4
Instruction Fuzzy Hash: B1717D75B00215AFCF10EFA8D945BAEB7F5EF88320F148469E816EB341DB34AD418B90

Function 00A97E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00F551C8), ref: 00A97F37
IsWindowEnabled.USER32(00F551C8), ref: 00A97F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00A9801E
SendMessageW.USER32(00F551C8,000000B0,?,?), ref: 00A98051
IsDlgButtonChecked.USER32(?,?), ref: 00A98089
GetWindowLongW.USER32(00F551C8,000000EC), ref: 00A980AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00A980C3

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: dd6ee786c760f9efeb65a9dd17a13eb8d2d6e691846276e760597f4cb5c73bc0
Instruction ID: d365b3ed7a5157fe1bd7be03ccca02eec7841e24f32b7d26e8621db2f3a79ed5
Opcode Fuzzy Hash: dd6ee786c760f9efeb65a9dd17a13eb8d2d6e691846276e760597f4cb5c73bc0
Instruction Fuzzy Hash: 71717C34709214AFEF21DF64C994FAEBBF5EF0A310F14445AE946A7261CB35AC45DB20

Function 00A6AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00A6AEF9
GetKeyboardState.USER32(?), ref: 00A6AF0E
SetKeyboardState.USER32(?), ref: 00A6AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 00A6AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 00A6AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 00A6AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00A6B020

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 5aa19537f470fe5d49792175e12064dabe97964daa7c89937c68f925d02c64da
Instruction ID: 9d19545eed4c4ac27363df73d8c2b33f7e2670241321a85517ecdebae143cf38
Opcode Fuzzy Hash: 5aa19537f470fe5d49792175e12064dabe97964daa7c89937c68f925d02c64da
Instruction Fuzzy Hash: 3751C2A0A147D53DFB3683348C45BBABEF95B06304F088489E1D9958C3C7A9ACC4DB62

Function 00A6ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00A6AD19
GetKeyboardState.USER32(?), ref: 00A6AD2E
SetKeyboardState.USER32(?), ref: 00A6AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00A6ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00A6ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00A6AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00A6AE38

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 3b894f7995741a31c0833ee3b0bf2b5f3db2e2dce00c6b8024a598fa92927f5a
Instruction ID: 0a85e7a775ef423527265aa8e781541281b3e697c43c6c5c4b7c8ffc040b61a9
Opcode Fuzzy Hash: 3b894f7995741a31c0833ee3b0bf2b5f3db2e2dce00c6b8024a598fa92927f5a
Instruction Fuzzy Hash: 0A5108A16047E57DFB3383348C95BBA7EF85B55300F088489E1D5668C3D7A5EC84DB62

Function 00A3542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00A43CD6,?,?,?,?,?,?,?,?,00A35BA3,?,?,00A43CD6,?,?), ref: 00A35470
__fassign.LIBCMT ref: 00A354EB
__fassign.LIBCMT ref: 00A35506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00A43CD6,00000005,00000000,00000000), ref: 00A3552C
WriteFile.KERNEL32(?,00A43CD6,00000000,00A35BA3,00000000,?,?,?,?,?,?,?,?,?,00A35BA3,?), ref: 00A3554B
WriteFile.KERNEL32(?,?,00000001,00A35BA3,00000000,?,?,?,?,?,?,?,?,?,00A35BA3,?), ref: 00A35584

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 4ac015ef570ed81df96a002731da5d936c399a96a680cf76ebce2b5020b89567
Instruction ID: ef8afdda1fe4aaf7938fd958ad3d9e37c760b5a5d76fe0d6538fa80213b65e42
Opcode Fuzzy Hash: 4ac015ef570ed81df96a002731da5d936c399a96a680cf76ebce2b5020b89567
Instruction Fuzzy Hash: A2519071E00649AFDB10CFA8D845AEEBBF9EF09310F14456AF956E7291D730AA41CB60

Function 00A22D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00A22D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00A22D53
_ValidateLocalCookies.LIBCMT ref: 00A22DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00A22E0C
_ValidateLocalCookies.LIBCMT ref: 00A22E61

Strings

csm, xrefs: 00A22DF6

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: f6177b5dad0ad0ceca91dd9618c2631c49202fcad35706c938b5183eaeffa7f8
Instruction ID: feee4d2df80f0fd5f1e062d9b922675b8e7cea834ed4872612ed2839dfa94694
Opcode Fuzzy Hash: f6177b5dad0ad0ceca91dd9618c2631c49202fcad35706c938b5183eaeffa7f8
Instruction Fuzzy Hash: 4E419D35E00229BBCF10DF6CE845BAEBBB5BF45324F148165E815AB392D735AA05CB90

Function 00A810B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00A8304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00A8307A
Part of subcall function 00A8304E: _wcslen.LIBCMT ref: 00A8309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00A81112
WSAGetLastError.WSOCK32 ref: 00A81121
WSAGetLastError.WSOCK32 ref: 00A811C9
closesocket.WSOCK32(00000000), ref: 00A811F9

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 16f08654171c90c2fd2adfe024563eb684677807c8e37185be3bd04fa890d91a
Instruction ID: fd42c740b001dad7fa498e57a22e2a22a187b1be48b8e1acb4322ab9140ea617
Opcode Fuzzy Hash: 16f08654171c90c2fd2adfe024563eb684677807c8e37185be3bd04fa890d91a
Instruction Fuzzy Hash: BE41F431600604AFDB10EF54D888BA9B7E9FF45764F148259F9059B291DB70AD82CBE1

Function 00A6CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00A6DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00A6CF22,?), ref: 00A6DDFD

Part of subcall function 00A6DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00A6CF22,?), ref: 00A6DE16

lstrcmpiW.KERNEL32(?,?), ref: 00A6CF45
MoveFileW.KERNEL32(?,?), ref: 00A6CF7F
_wcslen.LIBCMT ref: 00A6D005
_wcslen.LIBCMT ref: 00A6D01B
SHFileOperationW.SHELL32(?), ref: 00A6D061

Strings

\*.*, xrefs: 00A6CFF3

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 692c56f8eab060b1f12e1d969fe8516766c858289d58de7f98056c64d121e2b5
Instruction ID: 8a7b5fef1d3e89a7b80b69048d6b051f375ea8e0b943336b3bd432efdca7a891
Opcode Fuzzy Hash: 692c56f8eab060b1f12e1d969fe8516766c858289d58de7f98056c64d121e2b5
Instruction Fuzzy Hash: 59416971D452189FDF12EFA4DA81AEEB7B8AF08780F0000E6E545EB142EF34A785CB50

Function 00A92DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00A92E1C
GetWindowLongW.USER32(?,000000F0), ref: 00A92E4F
GetWindowLongW.USER32(?,000000F0), ref: 00A92E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00A92EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00A92EE0
GetWindowLongW.USER32(?,000000F0), ref: 00A92EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00A92F0B

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 4316235a1fe43541631db931063aeaf8b3c8d67b6e31d2d853d8d12cdf781501
Instruction ID: d2b8a6463b02a633c54837e8c4b61c04ac5c1e38076472ce5de4b938fcd15124
Opcode Fuzzy Hash: 4316235a1fe43541631db931063aeaf8b3c8d67b6e31d2d853d8d12cdf781501
Instruction Fuzzy Hash: B4310E35745240AFEF21CF98DCD4FA53BE0FB8A720F1501A6FA018B2B2CB61A8419B50

Function 00A67726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A67769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A6778F
SysAllocString.OLEAUT32(00000000), ref: 00A67792
SysAllocString.OLEAUT32(?), ref: 00A677B0
SysFreeString.OLEAUT32(?), ref: 00A677B9
StringFromGUID2.OLE32(?,?,00000028), ref: 00A677DE
SysAllocString.OLEAUT32(?), ref: 00A677EC

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: fb0134748798804b51d013772f9b207654735f52641ae8a1e05fe51b2a8b8133
Instruction ID: cc141da66d3234c5ae35470a26c1cf0146d928bed6a3e020b5e3d031d883954e
Opcode Fuzzy Hash: fb0134748798804b51d013772f9b207654735f52641ae8a1e05fe51b2a8b8133
Instruction Fuzzy Hash: 87218E76718219AFDF10DFA8CD88CBF77BCEB09768B048126BA15DB190DA74DC428764

Function 00A677FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A67842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A67868
SysAllocString.OLEAUT32(00000000), ref: 00A6786B
SysAllocString.OLEAUT32 ref: 00A6788C
SysFreeString.OLEAUT32 ref: 00A67895
StringFromGUID2.OLE32(?,?,00000028), ref: 00A678AF
SysAllocString.OLEAUT32(?), ref: 00A678BD

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: b813a3ea1195f0292ff0c23c4a1f25331e24107dda17434f919827df0a09a294
Instruction ID: 53406930a27d483acfbecf581bf90ad2e65322bafce783038712e36c30559047
Opcode Fuzzy Hash: b813a3ea1195f0292ff0c23c4a1f25331e24107dda17434f919827df0a09a294
Instruction Fuzzy Hash: D7215C36718204AFDF10AFE8DC8CDAE77BCEB097647108126B915CB2A1DA74DC81CB64

Function 00A704D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00A704F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00A7052E

Strings

nul, xrefs: 00A70567

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 008b9c51011e3fe6c2623f75d613473fc0703907541bba6e03b8bb7b0efdd213
Instruction ID: 60847a61f8a852b82bd2604bc6b99800376817ad71d4a4fd76ebcf8043a56c68
Opcode Fuzzy Hash: 008b9c51011e3fe6c2623f75d613473fc0703907541bba6e03b8bb7b0efdd213
Instruction Fuzzy Hash: 80216D75600305EBDF209F69DC44E9A7BB4AF54724F20CA19F8A9D62E0D7709941CF20

Function 00A705A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00A705C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00A70601

Strings

nul, xrefs: 00A70639

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 1b3261fdf13aa573d48bedc43109a30a0388b47fcf7b55495df601c76cc3e328
Instruction ID: a255ff784e31f17bc10a3b1fa04c99ea06296c0229f040fabaa7288f08d2dbca
Opcode Fuzzy Hash: 1b3261fdf13aa573d48bedc43109a30a0388b47fcf7b55495df601c76cc3e328
Instruction Fuzzy Hash: 12218375600305DBDB209F698C54E9A77E4BF95734F20CB1AF8A5E72D0DBB09961CB20

Function 00A940AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A0600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00A0604C
Part of subcall function 00A0600E: GetStockObject.GDI32(00000011), ref: 00A06060
Part of subcall function 00A0600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00A0606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00A94112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00A9411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00A9412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00A94139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00A94145

Strings

Msctls_Progress32, xrefs: 00A940E3

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 7d7190d1938a8caa42394ebe47959df6c1476d3b819036bec3cb9b6e8f629444
Instruction ID: 638a25ddf0199bf460be004d3b3ed89835d0505450d5bc2be6d431a3ac20e382
Opcode Fuzzy Hash: 7d7190d1938a8caa42394ebe47959df6c1476d3b819036bec3cb9b6e8f629444
Instruction Fuzzy Hash: 0711B6B224011D7EEF118F64CC85EE77F9DEF08798F114111B718A2050C7769C22DBA4

Function 00A3D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00A3D7A3: _free.LIBCMT ref: 00A3D7CC

_free.LIBCMT ref: 00A3D82D

Part of subcall function 00A329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00A3D7D1,00000000,00000000,00000000,00000000,?,00A3D7F8,00000000,00000007,00000000,?,00A3DBF5,00000000), ref: 00A329DE
Part of subcall function 00A329C8: GetLastError.KERNEL32(00000000,?,00A3D7D1,00000000,00000000,00000000,00000000,?,00A3D7F8,00000000,00000007,00000000,?,00A3DBF5,00000000,00000000), ref: 00A329F0

_free.LIBCMT ref: 00A3D838
_free.LIBCMT ref: 00A3D843
_free.LIBCMT ref: 00A3D897
_free.LIBCMT ref: 00A3D8A2
_free.LIBCMT ref: 00A3D8AD
_free.LIBCMT ref: 00A3D8B8

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: ae7fcd789960766625c394a40f1b6d8a2e79cbfab2602943b83fb950f3c6d686
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: D0118F71940B14FADA31BFF0EE47FCBBBDCAF40700F400825B699AA292DA75B5058760

Function 00A6DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00A6DA74
LoadStringW.USER32(00000000), ref: 00A6DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00A6DA91
LoadStringW.USER32(00000000), ref: 00A6DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00A6DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00A6DAB9

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 280d23dfdd23c887e7c0a0a5948b772387ac19fc81258e7ce78eeb2cc9baa853
Instruction ID: 96556582262b0f30cbc2cfc998c96f4947e821687d9779def181c48699196f56
Opcode Fuzzy Hash: 280d23dfdd23c887e7c0a0a5948b772387ac19fc81258e7ce78eeb2cc9baa853
Instruction Fuzzy Hash: BD0162F2A042087FEB10DBE09D89EE7367CE708351F400596B706E2041EA749E854F74

Function 00A7096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00F4C8F0,00F4C8F0), ref: 00A7097B
EnterCriticalSection.KERNEL32(00F4C8D0,00000000), ref: 00A7098D
TerminateThread.KERNEL32(?,000001F6), ref: 00A7099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 00A709A9
CloseHandle.KERNEL32(?), ref: 00A709B8
InterlockedExchange.KERNEL32(00F4C8F0,000001F6), ref: 00A709C8
LeaveCriticalSection.KERNEL32(00F4C8D0), ref: 00A709CF

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 90cbfde32a7bb48d895f9e4fcf94794d0b814aa0f48fb4b0e623bf5e7bd5cc5b
Instruction ID: 4d6b81e7a50dde10044fca618554b4a4cee21c510e0fdc892dc45daffb4e957d
Opcode Fuzzy Hash: 90cbfde32a7bb48d895f9e4fcf94794d0b814aa0f48fb4b0e623bf5e7bd5cc5b
Instruction Fuzzy Hash: 62F01D32542912EBDB41ABA4EE89AD6BA25BF01712F805016F201508A0CB75A466CFA0

Function 00A81C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00A81DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00A81DE1
WSAGetLastError.WSOCK32 ref: 00A81DF2
htons.WSOCK32(?,?,?,?,?), ref: 00A81EDB
inet_ntoa.WSOCK32(?), ref: 00A81E8C

Part of subcall function 00A639E8: _strlen.LIBCMT ref: 00A639F2

Part of subcall function 00A83224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,00A7EC0C), ref: 00A83240

_strlen.LIBCMT ref: 00A81F35

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 9fd0ee79c154518053912c56747104bcee1a603da320c8ca3cac42feae709a84
Instruction ID: f6921c4a7114a3eba2f2747466bfbd60497d9272866e02ac397b225f1214003c
Opcode Fuzzy Hash: 9fd0ee79c154518053912c56747104bcee1a603da320c8ca3cac42feae709a84
Instruction Fuzzy Hash: 46B10171604300AFC724EF24C885E2A7BE9AF84318F54894CF55A5F2E2DB71ED82CB91

Function 00A05D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00A05D30
GetWindowRect.USER32(?,?), ref: 00A05D71
ScreenToClient.USER32(?,?), ref: 00A05D99
GetClientRect.USER32(?,?), ref: 00A05ED7
GetWindowRect.USER32(?,?), ref: 00A05EF8

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 0c82094de5cf531e5d917b027ec5a994508159b16a4e8f74f1d06017188bd9a8
Instruction ID: c95a61e64e0beb05e95ef7491fac186f6ce54a92d6e33f9a08d1e1fef1570246
Opcode Fuzzy Hash: 0c82094de5cf531e5d917b027ec5a994508159b16a4e8f74f1d06017188bd9a8
Instruction Fuzzy Hash: C1B15739A00A4ADBDB14CFB9C4807EAB7F1FF58310F14941AE8A9D7290DB34AA51DF54

Function 00A301B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00A300BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A300D6
__allrem.LIBCMT ref: 00A300ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A3010B
__allrem.LIBCMT ref: 00A30122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A30140

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: f0c2f542ce8eb99528898409866193df5ef832fe3798f7ebf89b1a0de83daa13
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 1A812476A00B169FE7249F2CDD52F6BB3F9AF41760F24423AF551D6681E770D9008B90

Function 00A361FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00A282D9,00A282D9,?,?,?,00A3644F,00000001,00000001,8BE85006), ref: 00A36258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00A3644F,00000001,00000001,8BE85006,?,?,?), ref: 00A362DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00A363D8
__freea.LIBCMT ref: 00A363E5

Part of subcall function 00A33820: RtlAllocateHeap.NTDLL(00000000,?,00AD1444,?,00A1FDF5,?,?,00A0A976,00000010,00AD1440,00A013FC,?,00A013C6,?,00A01129), ref: 00A33852

__freea.LIBCMT ref: 00A363EE
__freea.LIBCMT ref: 00A36413

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 7a098e0cd0179c91da055f1dba73df16701c505e488116c8673fe5efc26944a8
Instruction ID: 5abebf7b378d8d53bcfa6e9eb1004a8adc2efc93523d10bf95d12dd8e950b292
Opcode Fuzzy Hash: 7a098e0cd0179c91da055f1dba73df16701c505e488116c8673fe5efc26944a8
Instruction Fuzzy Hash: 2151AF73A00216BBEF258FA4DD81EBF7BA9EB44750F258629FC05DA141EB34DC44C6A0

Function 00A8BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A09CB3: _wcslen.LIBCMT ref: 00A09CBD

Part of subcall function 00A8C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A8B6AE,?,?), ref: 00A8C9B5
Part of subcall function 00A8C998: _wcslen.LIBCMT ref: 00A8C9F1
Part of subcall function 00A8C998: _wcslen.LIBCMT ref: 00A8CA68
Part of subcall function 00A8C998: _wcslen.LIBCMT ref: 00A8CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A8BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00A8BD25
RegCloseKey.ADVAPI32(00000000), ref: 00A8BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00A8BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00A8BDF3
RegCloseKey.ADVAPI32(?), ref: 00A8BDFF

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 7bab7fb294344c20286ca3df8e83f9259635b2ef9eb864278c6840e7bed0e0f5
Instruction ID: 511f4b8cc296ec4e4d069add1d635fe6d48fa449b66d649c6e714e0cba0f7672
Opcode Fuzzy Hash: 7bab7fb294344c20286ca3df8e83f9259635b2ef9eb864278c6840e7bed0e0f5
Instruction Fuzzy Hash: 2B81AF70218241EFD714EF24C991E2ABBE5FF84308F14895CF4598B2A2DB31ED45CBA2

Function 00A5F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 00A5F7B9
SysAllocString.OLEAUT32(00000001), ref: 00A5F860
VariantCopy.OLEAUT32(00A5FA64,00000000), ref: 00A5F889
VariantClear.OLEAUT32(00A5FA64), ref: 00A5F8AD
VariantCopy.OLEAUT32(00A5FA64,00000000), ref: 00A5F8B1
VariantClear.OLEAUT32(?), ref: 00A5F8BB

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: c7fd81e2e976bb476905c13bb52a53dfef2f6afacc4f788f6b64692c9c890ff7
Instruction ID: 7c4b8ac8a3667d3063d572f44ee9d99f331ad5eabe913366b3447ae397a09590
Opcode Fuzzy Hash: c7fd81e2e976bb476905c13bb52a53dfef2f6afacc4f788f6b64692c9c890ff7
Instruction Fuzzy Hash: 6E51C331600710FECF20AB65D995B29B3A8FF45312F248467ED06DF296DB709C84C796

Function 00A7910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00A07620: _wcslen.LIBCMT ref: 00A07625

Part of subcall function 00A06B57: _wcslen.LIBCMT ref: 00A06B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 00A794E5
_wcslen.LIBCMT ref: 00A79506
_wcslen.LIBCMT ref: 00A7952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00A79585

Strings

X, xrefs: 00A79412

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 7b1b1e068e9a0342d6d29aaedb45866fa96d33e709e5c6b67ae2ed47523dac38
Instruction ID: a8755faad98f0ca7bedeabae7d2d62ad9079b7c26c9e3b559ed6df09c556a75a
Opcode Fuzzy Hash: 7b1b1e068e9a0342d6d29aaedb45866fa96d33e709e5c6b67ae2ed47523dac38
Instruction Fuzzy Hash: AFE1C1316083508FD724EF24D981A6BB7E4BF85314F04C96DF8999B2A2DB30ED05CB92

Function 00A1920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00A19BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A19BB2

BeginPaint.USER32(?,?,?), ref: 00A19241
GetWindowRect.USER32(?,?), ref: 00A192A5
ScreenToClient.USER32(?,?), ref: 00A192C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00A192D3
EndPaint.USER32(?,?,?,?,?), ref: 00A19321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00A571EA

Part of subcall function 00A19339: BeginPath.GDI32(00000000), ref: 00A19357

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: d51bb2693cd85eeba925282b22235e4649f7198587f71ce47f9dcaa71d52c83b
Instruction ID: e4b374a5aee486f51ff5e243cec6e708fb0a858d6cd9a253fe2872630047e13d
Opcode Fuzzy Hash: d51bb2693cd85eeba925282b22235e4649f7198587f71ce47f9dcaa71d52c83b
Instruction Fuzzy Hash: 46419F30205600AFD711DFA4DCA4FAB7BB8FB45721F14022AF9659B2B2C7319886DB61

Function 00A707EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00A7080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00A70847
EnterCriticalSection.KERNEL32(?), ref: 00A70863
LeaveCriticalSection.KERNEL32(?), ref: 00A708DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00A708F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00A70921

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: d98dc9794cf759da15d0aab578c0c987a70b50304655bcb5223d886a8efd037c
Instruction ID: c220fcf0bdea55aea871ea97c5b261053893a1238374e3ff5b237cf34ddd84ea
Opcode Fuzzy Hash: d98dc9794cf759da15d0aab578c0c987a70b50304655bcb5223d886a8efd037c
Instruction Fuzzy Hash: DA415A71A00205EFDF14EF94DD85AAA77B8FF44310F1480A5ED049A29BDB30DE65DBA4

Function 00A981DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00A5F3AB,00000000,?,?,00000000,?,00A5682C,00000004,00000000,00000000), ref: 00A9824C
EnableWindow.USER32(?,00000000), ref: 00A98272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00A982D1
ShowWindow.USER32(?,00000004), ref: 00A982E5
EnableWindow.USER32(?,00000001), ref: 00A9830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00A9832F

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: f3e42d429e1302608b01d4c86199b8c55ae954da2b1d590f714c19c4d8b4b0b7
Instruction ID: 41513ff057d9702e5db00cfb8b234b7688b35db65dc702a26bc8f71d1bfcb7dd
Opcode Fuzzy Hash: f3e42d429e1302608b01d4c86199b8c55ae954da2b1d590f714c19c4d8b4b0b7
Instruction Fuzzy Hash: B141A334702644AFDF21CF55C899BE57BE0FB0B714F1841AAE5194F2A3CB39A842CB50

Function 00A64C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00A64C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00A64CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00A64CEA
_wcslen.LIBCMT ref: 00A64D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00A64D10
_wcsstr.LIBVCRUNTIME ref: 00A64D1A

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 8a0f4eb0271139adada685747187e78ff94a05a133226878f4f5fd02afa92072
Instruction ID: f17684cdea2c4f6f915b35529e998546814ff7aa7c5ee4205c2d32ec94093575
Opcode Fuzzy Hash: 8a0f4eb0271139adada685747187e78ff94a05a133226878f4f5fd02afa92072
Instruction Fuzzy Hash: B9212332604240BFEB259B79AD09E7B7BBCDF49760F10803AF905CA192EE65CC4192A0

Function 00A7581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00A03AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A03A97,?,?,00A02E7F,?,?,?,00000000), ref: 00A03AC2

_wcslen.LIBCMT ref: 00A7587B
CoInitialize.OLE32(00000000), ref: 00A75995
CoCreateInstance.OLE32(00A9FCF8,00000000,00000001,00A9FB68,?), ref: 00A759AE
CoUninitialize.OLE32 ref: 00A759CC

Strings

.lnk, xrefs: 00A75876, 00A758C1, 00A75985

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: c43ff43011dbd60d220f7efdfbb044f458d8e1e421bfc2068e782d615503ed89
Instruction ID: 4a48f8e26921f519df361aa05691acb94875db37a42af91bb0abd343b21c8f6e
Opcode Fuzzy Hash: c43ff43011dbd60d220f7efdfbb044f458d8e1e421bfc2068e782d615503ed89
Instruction Fuzzy Hash: 20D16471A047059FC714DF24C980A2ABBE5FF89714F14885DF88A9B3A1DB71EC45CB92

Function 00A6175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A60FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00A60FCA
Part of subcall function 00A60FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00A60FD6
Part of subcall function 00A60FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00A60FE5
Part of subcall function 00A60FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00A60FEC
Part of subcall function 00A60FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00A61002

GetLengthSid.ADVAPI32(?,00000000,00A61335), ref: 00A617AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00A617BA
HeapAlloc.KERNEL32(00000000), ref: 00A617C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 00A617DA
GetProcessHeap.KERNEL32(00000000,00000000,00A61335), ref: 00A617EE
HeapFree.KERNEL32(00000000), ref: 00A617F5

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 296d33eb27dd217fec96046231b6b3fe33890570f499d9b95f987e47fd60413d
Instruction ID: 9e2671dfd828c5a43d49ea4cbc838c73708b28f6421e5fbbd9775dea6c98a8af
Opcode Fuzzy Hash: 296d33eb27dd217fec96046231b6b3fe33890570f499d9b95f987e47fd60413d
Instruction Fuzzy Hash: B211A932600605EFDB10DFA4CC49FAE7BB9EB42365F284119F481A7210DB36AA41CF60

Function 00A614CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00A614FF
OpenProcessToken.ADVAPI32(00000000), ref: 00A61506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00A61515
CloseHandle.KERNEL32(00000004), ref: 00A61520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00A6154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00A61563

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 16547be8acbd3eb87bc16636c618c2a62bf639b320af615824f74ed3b88ce9e2
Instruction ID: 0414117875b03b1671c0511ff84b22cafe411837f6e30a99979bc7cefb77886f
Opcode Fuzzy Hash: 16547be8acbd3eb87bc16636c618c2a62bf639b320af615824f74ed3b88ce9e2
Instruction Fuzzy Hash: CB112972601209ABDF11CFE8EE49FDE7BB9EF48758F084015FA05A2060C7758E61DB61

Function 00A23382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00A23379,00A22FE5), ref: 00A23390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00A2339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00A233B7
SetLastError.KERNEL32(00000000,?,00A23379,00A22FE5), ref: 00A23409

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: a5ca622dbb3839e496f528545553f054d30c75b5100c310676d3976813385d5f
Instruction ID: 5c310506349c6f9e0950964ae93798d8d8a8b71998f7efaeb234ba776a6fa5e6
Opcode Fuzzy Hash: a5ca622dbb3839e496f528545553f054d30c75b5100c310676d3976813385d5f
Instruction Fuzzy Hash: 23012433208731BEEE24B7BC7D85A272A99EB07779720023AF410881F0FF194E035144

Function 00A32D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00A35686,00A43CD6,?,00000000,?,00A35B6A,?,?,?,?,?,00A2E6D1,?,00AC8A48), ref: 00A32D78
_free.LIBCMT ref: 00A32DAB
_free.LIBCMT ref: 00A32DD3
SetLastError.KERNEL32(00000000,?,?,?,?,00A2E6D1,?,00AC8A48,00000010,00A04F4A,?,?,00000000,00A43CD6), ref: 00A32DE0
SetLastError.KERNEL32(00000000,?,?,?,?,00A2E6D1,?,00AC8A48,00000010,00A04F4A,?,?,00000000,00A43CD6), ref: 00A32DEC
_abort.LIBCMT ref: 00A32DF2

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 6744beb4d566d1400fb5fced970564eec8abeccae913e86efabfb2788aef1b67
Instruction ID: 74eea2cd0f2f9b6f1f46d98381c43a73bcfc2fa5aecfb744ae39553bfba63419
Opcode Fuzzy Hash: 6744beb4d566d1400fb5fced970564eec8abeccae913e86efabfb2788aef1b67
Instruction Fuzzy Hash: 35F0F632645A102BD62277B9BD0AF5F2669AFC27F1F250519F828D71E2EF3488035360

Function 00A98A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00A19639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00A19693
Part of subcall function 00A19639: SelectObject.GDI32(?,00000000), ref: 00A196A2
Part of subcall function 00A19639: BeginPath.GDI32(?), ref: 00A196B9
Part of subcall function 00A19639: SelectObject.GDI32(?,00000000), ref: 00A196E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00A98A4E
LineTo.GDI32(?,00000003,00000000), ref: 00A98A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00A98A70
LineTo.GDI32(?,00000000,00000003), ref: 00A98A80
EndPath.GDI32(?), ref: 00A98A90
StrokePath.GDI32(?), ref: 00A98AA0

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: fc1181c4db4e405b9d50b7398f90cdc7a1dec7db8430a949b6444017ce84f394
Instruction ID: f1f16c95e15adf28856db22ce8a093a06689e78649e42220e3583e3252f132d2
Opcode Fuzzy Hash: fc1181c4db4e405b9d50b7398f90cdc7a1dec7db8430a949b6444017ce84f394
Instruction Fuzzy Hash: FC11CC76140149FFDF11DFD4EC48E9A7F6DEB04364F048012FA1996161CB719D56DB60

Function 00A651FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00A65218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00A65229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00A65230
ReleaseDC.USER32(00000000,00000000), ref: 00A65238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00A6524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00A65261

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: cf0060e75d099411b044052d0970c5c8cc9e4c62fdd08fbc5f0a8b59a3a3a5af
Instruction ID: d86f078c78ac607f304fa7cf88e05e8ac160a1f3d98c8e60029ab0ac39033b7a
Opcode Fuzzy Hash: cf0060e75d099411b044052d0970c5c8cc9e4c62fdd08fbc5f0a8b59a3a3a5af
Instruction Fuzzy Hash: 30014475E00B14BBEB109BF59C49A5EBFB8EF44761F144066FA04A7281DA709905CB60

Function 00A01BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00A01BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00A01BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00A01C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00A01C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00A01C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00A01C22

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: d0b2e48712477675de595c67c3d9a12fcfcd2c13929a87173cacb73c0c896d29
Instruction ID: d59b012671a552ab9af5031eb7f5e11aec87810618e417dafd9cb8c593d45c03
Opcode Fuzzy Hash: d0b2e48712477675de595c67c3d9a12fcfcd2c13929a87173cacb73c0c896d29
Instruction Fuzzy Hash: BD016CB0902B597DE3008F5A8C85B52FFA8FF19354F00411B915C47941C7F5A864CBE5

Function 00A6EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00A6EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00A6EB46
GetWindowThreadProcessId.USER32(?,?), ref: 00A6EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00A6EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00A6EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00A6EB75

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 6855f4fc8a48b7e53b0ce7f4e443acb86fee0f1ba39b4ce742f52198e9811c6d
Instruction ID: 1e1ee81b0f1fcf9c806b6f8d25715af7e6a9f681fdd2d4bbd260dd1874641aac
Opcode Fuzzy Hash: 6855f4fc8a48b7e53b0ce7f4e443acb86fee0f1ba39b4ce742f52198e9811c6d
Instruction Fuzzy Hash: 8CF05472340958BBE72197929C0EEEF7E7CEFCAB21F00415AF601D1091DBA45A02C6B5

Function 00A57439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00A57452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00A57469
GetWindowDC.USER32(?), ref: 00A57475
GetPixel.GDI32(00000000,?,?), ref: 00A57484
ReleaseDC.USER32(?,00000000), ref: 00A57496
GetSysColor.USER32(00000005), ref: 00A574B0

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 8ef4f941042f58323d201fdffb0ae80b0a69371680e2aacf1b4def237a55fb4b
Instruction ID: cf6bc9378648e34db58272fe58cd67263710f754979e82a03ef3382a067b224d
Opcode Fuzzy Hash: 8ef4f941042f58323d201fdffb0ae80b0a69371680e2aacf1b4def237a55fb4b
Instruction Fuzzy Hash: F6014B31600615EFDB519FA8EC08BAE7BB5FB04322F614165FE16A21A1CF311E52EB50

Function 00A61874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00A6187F
UnloadUserProfile.USERENV(?,?), ref: 00A6188B
CloseHandle.KERNEL32(?), ref: 00A61894
CloseHandle.KERNEL32(?), ref: 00A6189C
GetProcessHeap.KERNEL32(00000000,?), ref: 00A618A5
HeapFree.KERNEL32(00000000), ref: 00A618AC

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 45058d3460852b82d17ca90a3f80d46ee397cf1e05304e8134004b82166bbb67
Instruction ID: 39223bf13f0c78dd19ff82e4f26d758fa219ca552a274ea899b37b72cca18e08
Opcode Fuzzy Hash: 45058d3460852b82d17ca90a3f80d46ee397cf1e05304e8134004b82166bbb67
Instruction Fuzzy Hash: E1E0C236204901BBDA019BE1EE0C90ABB29FB49B32B208222F22585070CF329422DB64

Function 00A6C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A07620: _wcslen.LIBCMT ref: 00A07625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00A6C6EE
_wcslen.LIBCMT ref: 00A6C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00A6C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00A6C7CA

Strings

0, xrefs: 00A6C6AF

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 10899e8f50cc31ea398ea4aa1d4878fe1885eb785c3085cb388b254c18c5be30
Instruction ID: 6026c9ed2ba2e4e0ab7a6fd70f3b55ba9958cdfd0fd9ae00663f969b567fa453
Opcode Fuzzy Hash: 10899e8f50cc31ea398ea4aa1d4878fe1885eb785c3085cb388b254c18c5be30
Instruction Fuzzy Hash: AA51CD71604340ABD7109F28D985B7BB7F8AF49324F040A2AF9E6D32E1DB70D9448B96

Function 00A8AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00A8AEA3

Part of subcall function 00A07620: _wcslen.LIBCMT ref: 00A07625

GetProcessId.KERNEL32(00000000), ref: 00A8AF38
CloseHandle.KERNEL32(00000000), ref: 00A8AF67

Strings

@, xrefs: 00A8AE72
<, xrefs: 00A8AE6B

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: edb329ce2d7f161ef96e6c6d35f8e3d18469de39e97fd20a5dea587c5b1e56a2
Instruction ID: b6669b0cb916bd908a94419e5a292a6b014b19a9fa52a7a48c565284dfd145ec
Opcode Fuzzy Hash: edb329ce2d7f161ef96e6c6d35f8e3d18469de39e97fd20a5dea587c5b1e56a2
Instruction Fuzzy Hash: A6717B71A00619DFDB14EF94D584A9EBBF0FF08314F04849AE816AB392CB75ED85CB91

Function 00A6719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00A67206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00A6723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00A6724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00A672CF

Strings

DllGetClassObject, xrefs: 00A67242

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: ad44950683faf3462fcf1b3350c502c5053ee19d1d67bda5117a1658e5540795
Instruction ID: be58f5e44c5eb6243ddf1acba8247e47155d7bddefbb4e3a1dd0b700930f51f8
Opcode Fuzzy Hash: ad44950683faf3462fcf1b3350c502c5053ee19d1d67bda5117a1658e5540795
Instruction Fuzzy Hash: 2B417EB1A14204EFDB15CFA4C894A9E7BB9EF44718F2480ADFD059F20AD7B0D945CBA0

Function 00A93D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A93E35
IsMenu.USER32(?), ref: 00A93E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00A93E92
DrawMenuBar.USER32 ref: 00A93EA5

Strings

0, xrefs: 00A93D89

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: b15da153d5212495545841fb7d3b941517d12d8ea22558a5db07c51ed14ecdc3
Instruction ID: b4cf87a107e8144532104bdd84a3c6c39fb511e425d7d018d28bbea143d08f4f
Opcode Fuzzy Hash: b15da153d5212495545841fb7d3b941517d12d8ea22558a5db07c51ed14ecdc3
Instruction Fuzzy Hash: ED411876A01209AFDF10DF94D884AAABBF9FF49364F044129E905AB250D730AE55CF50

Function 00A61DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A09CB3: _wcslen.LIBCMT ref: 00A09CBD

Part of subcall function 00A63CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00A63CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00A61E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00A61E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00A61EA9

Part of subcall function 00A06B57: _wcslen.LIBCMT ref: 00A06B6A

Strings

ListBox, xrefs: 00A61E25
ComboBox, xrefs: 00A61DF0

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 54b18f9495ecedbbfb1376d2538f9403351e8e006bceec798f5225971a782227
Instruction ID: ce66fdbcaee863eead2e02d33891752140884ec0ec24bf27e0b1dc7955e3071a
Opcode Fuzzy Hash: 54b18f9495ecedbbfb1376d2538f9403351e8e006bceec798f5225971a782227
Instruction Fuzzy Hash: 2C212772E00108BEDB14ABA4DD45DFFBBB8EF45360B184519F925A71E1DB398D0A9620

Function 00A92F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00A92F8D
LoadLibraryW.KERNEL32(?), ref: 00A92F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00A92FA9
DestroyWindow.USER32(?), ref: 00A92FB1

Strings

SysAnimate32, xrefs: 00A92F68

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: a5891a14aeac3d6b7330ba24e2eedae3673c22fe23b319a64716ed8d5ad3b2e0
Instruction ID: c040788bda2f914ed54f1cd814d360e45fcaa45dd3a48c3d25de15fb349ae8d3
Opcode Fuzzy Hash: a5891a14aeac3d6b7330ba24e2eedae3673c22fe23b319a64716ed8d5ad3b2e0
Instruction Fuzzy Hash: 9C218872300209BBEF108FA4DC84FBB37F9EB59364F104619FA5492190D771DC619760

Function 00A24D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00A24D1E,00A328E9,?,00A24CBE,00A328E9,00AC88B8,0000000C,00A24E15,00A328E9,00000002), ref: 00A24D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00A24DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00A24D1E,00A328E9,?,00A24CBE,00A328E9,00AC88B8,0000000C,00A24E15,00A328E9,00000002,00000000), ref: 00A24DC3

Strings

CorExitProcess, xrefs: 00A24D98
mscoree.dll, xrefs: 00A24D86

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 2743bca03155dec652b8af684155eca8288858f01da9f691c5eeff3d33f69f9b
Instruction ID: 78ee3b45ada72faf3f98995a5aec838d125340859a6ae17d7e12b668357b8809
Opcode Fuzzy Hash: 2743bca03155dec652b8af684155eca8288858f01da9f691c5eeff3d33f69f9b
Instruction Fuzzy Hash: 65F06234A40618BBDB119FD4EC49FAEBFB5EF48761F4001A5F809A22A0CF345D41CB94

Function 00A04E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00A04EDD,?,00AD1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A04E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00A04EAE
FreeLibrary.KERNEL32(00000000,?,?,00A04EDD,?,00AD1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A04EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00A04EA8
kernel32.dll, xrefs: 00A04E94

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: f77a1d1b84d7aca3da2dd7e86062fd7d2c3d1fbe866c46084bef00cbbcd0af86
Instruction ID: 679f7aa8226b20c40453a0ca06dddb066e21fbf6f73453acc0fe36d1a6491b20
Opcode Fuzzy Hash: f77a1d1b84d7aca3da2dd7e86062fd7d2c3d1fbe866c46084bef00cbbcd0af86
Instruction Fuzzy Hash: 46E08636B059226BD2215765BC18B9B6554BF85F727150216FD04D2150DF64CD0340E4

Function 00A04E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00A43CDE,?,00AD1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A04E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00A04E74
FreeLibrary.KERNEL32(00000000,?,?,00A43CDE,?,00AD1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A04E87

Strings

kernel32.dll, xrefs: 00A04E5B
Wow64RevertWow64FsRedirection, xrefs: 00A04E6E

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 046f4604775e9526fc463d2dc9fdbc1a82c657beb209de51035b36f645833fc9
Instruction ID: 973f82e7c58c34baffe6155ed56ea155c4b5f3bea64f8428112b1576b9f72e0e
Opcode Fuzzy Hash: 046f4604775e9526fc463d2dc9fdbc1a82c657beb209de51035b36f645833fc9
Instruction Fuzzy Hash: B5D0C232702E2167CA221B24BC08ECB2A18BF89F31315061AFA09A2190CF24CD0281D4

Function 00A72947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00A72C05
DeleteFileW.KERNEL32(?), ref: 00A72C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00A72C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00A72CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00A72CC0

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 6fb3c8e5a7d23bb2e1fdf97c156a594f483cb932008608df28b612e62b6705d7
Instruction ID: 20886968a658521a7ff6536041a08dd0b97f5e19acc6973d33c93135e9bd5ac7
Opcode Fuzzy Hash: 6fb3c8e5a7d23bb2e1fdf97c156a594f483cb932008608df28b612e62b6705d7
Instruction Fuzzy Hash: 28B13D72D0012DABDF11DFA4DD85EDEB7BDEF49350F1080A6F509E6141EA309A448F61

Function 00A8A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00A8A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00A8A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00A8A468
CloseHandle.KERNEL32(?), ref: 00A8A63D

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: b5559223f4a1c2db34984a0bcfabec4d6bc6a8288d96308a9b14d8ca7d52f583
Instruction ID: 8ebe37126079eb4e6333eeb7daef571d0c15157dda3d69e6961c953d5f5bbae3
Opcode Fuzzy Hash: b5559223f4a1c2db34984a0bcfabec4d6bc6a8288d96308a9b14d8ca7d52f583
Instruction Fuzzy Hash: 34A1C1716043019FE720EF28D986F2AB7E1AF94714F14881DF55A9B2D2DBB0EC41CB92

Function 00A3BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00AA3700), ref: 00A3BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,00AD121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00A3BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00AD1270,000000FF,?,0000003F,00000000,?), ref: 00A3BC36
_free.LIBCMT ref: 00A3BB7F

Part of subcall function 00A329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00A3D7D1,00000000,00000000,00000000,00000000,?,00A3D7F8,00000000,00000007,00000000,?,00A3DBF5,00000000), ref: 00A329DE
Part of subcall function 00A329C8: GetLastError.KERNEL32(00000000,?,00A3D7D1,00000000,00000000,00000000,00000000,?,00A3D7F8,00000000,00000007,00000000,?,00A3DBF5,00000000,00000000), ref: 00A329F0

_free.LIBCMT ref: 00A3BD4B

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 194cd1c6c73879b9a3c22144c39ad0d6410a9bd8023f247da6fa21cf1556e5cc
Instruction ID: 4d0069e52f97f94e56946445ad9f8672c13d5b98f6b1eea029998bb3d8f80c7f
Opcode Fuzzy Hash: 194cd1c6c73879b9a3c22144c39ad0d6410a9bd8023f247da6fa21cf1556e5cc
Instruction Fuzzy Hash: 5451E971910219EFCB20EFA59D829AEB7BDEF44360F10026BF655D7291EB309E41CB60

Function 00A6E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00A6DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00A6CF22,?), ref: 00A6DDFD

Part of subcall function 00A6DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00A6CF22,?), ref: 00A6DE16

Part of subcall function 00A6E199: GetFileAttributesW.KERNEL32(?,00A6CF95), ref: 00A6E19A

lstrcmpiW.KERNEL32(?,?), ref: 00A6E473
MoveFileW.KERNEL32(?,?), ref: 00A6E4AC
_wcslen.LIBCMT ref: 00A6E5EB
_wcslen.LIBCMT ref: 00A6E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00A6E650

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: b136ecf96fca992380443993a7ee84912d69ac693d231cd2d3dddf0c9b38d40d
Instruction ID: a441ac083c3932a5828867dbf16d47c9a47e9a4519f68f33a7765ebe770d1a1f
Opcode Fuzzy Hash: b136ecf96fca992380443993a7ee84912d69ac693d231cd2d3dddf0c9b38d40d
Instruction Fuzzy Hash: 7C51A6B25083849FC724EBA4DD819DF73ECAF84340F00492EF689D3191EF75A6888766

Function 00A8B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A09CB3: _wcslen.LIBCMT ref: 00A09CBD

Part of subcall function 00A8C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A8B6AE,?,?), ref: 00A8C9B5
Part of subcall function 00A8C998: _wcslen.LIBCMT ref: 00A8C9F1
Part of subcall function 00A8C998: _wcslen.LIBCMT ref: 00A8CA68
Part of subcall function 00A8C998: _wcslen.LIBCMT ref: 00A8CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A8BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00A8BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00A8BB63
RegCloseKey.ADVAPI32(?,?), ref: 00A8BBA6
RegCloseKey.ADVAPI32(00000000), ref: 00A8BBB3

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: bd7b41f33b9444d4d4e90bc33ce4de13cb866463e0387c3b821fd5f4167a1089
Instruction ID: a1cec1487fd8217669209f3e8e3c17e28d1fb76e709ffbd4edbe83dc11847b54
Opcode Fuzzy Hash: bd7b41f33b9444d4d4e90bc33ce4de13cb866463e0387c3b821fd5f4167a1089
Instruction Fuzzy Hash: 7161C131218245EFD314EF14C494E2ABBE5FF84348F14855CF4998B2A2DB31ED45CBA2

Function 00A68BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00A68BCD
VariantClear.OLEAUT32 ref: 00A68C3E
VariantClear.OLEAUT32 ref: 00A68C9D
VariantClear.OLEAUT32(?), ref: 00A68D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00A68D3B

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 74e37abc527953135ed2e216847eb2dc16ced205b5cbbae4e97f0d449ca60151
Instruction ID: cb85d848ac305a2708d25f898836cd42037ec7dab6ea5414ac712b2957518ead
Opcode Fuzzy Hash: 74e37abc527953135ed2e216847eb2dc16ced205b5cbbae4e97f0d449ca60151
Instruction Fuzzy Hash: 05517BB5A00619EFCB10CF68C884AAAB7F8FF89310B158559F915DB350EB34E911CFA0

Function 00A78AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00A78BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00A78BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00A78C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00A78C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00A78C5F

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 92da0a05b9db4bef02874bfbfbb1b277892713c423f9e81f17669673bf271716
Instruction ID: df54a7b35975c5257fb5e0b6d2219913ed42608df30b7fd7297eed5cf2cb322e
Opcode Fuzzy Hash: 92da0a05b9db4bef02874bfbfbb1b277892713c423f9e81f17669673bf271716
Instruction Fuzzy Hash: D5513A35A002199FCB01DF64C985AADBBF5BF48314F08C459E84AAB3A2CB35ED41CB90

Function 00A88EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00A88F40
GetProcAddress.KERNEL32(00000000,?), ref: 00A88FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00A88FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00A89032
FreeLibrary.KERNEL32(00000000), ref: 00A89052

Part of subcall function 00A1F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00A71043,?,75C0E610), ref: 00A1F6E6
Part of subcall function 00A1F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00A5FA64,00000000,00000000,?,?,00A71043,?,75C0E610,?,00A5FA64), ref: 00A1F70D

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 11b36b1c1e63987998cc5ff679aaa4398478d2bec6ba6864c2443bdb5451cc60
Instruction ID: 13503d135921f7dee3039b2cbde48057286721356ea64f81255de090f4e4c245
Opcode Fuzzy Hash: 11b36b1c1e63987998cc5ff679aaa4398478d2bec6ba6864c2443bdb5451cc60
Instruction Fuzzy Hash: D3514035605205DFC711EF54C5848AEBBF1FF49324B488099E91A9B362DB31ED86CF91

Function 00A96B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00A96C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00A96C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00A96C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00A7AB79,00000000,00000000), ref: 00A96C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00A96CC7

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: cc84716b8fe38a0f53e7134c881d52736aee1ed5cc42f2b49414ab9c822fef5b
Instruction ID: 4a363215b8c02cd0fbccb14b664e4e05b5a828b2c9d0c7280b815294bffd712b
Opcode Fuzzy Hash: cc84716b8fe38a0f53e7134c881d52736aee1ed5cc42f2b49414ab9c822fef5b
Instruction Fuzzy Hash: CC41AE35B04104AFDF24CF68CD98FA97BE5EF09360F150229F999A72A0D771AD41CA50

Function 00A32051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00A320C3
_free.LIBCMT ref: 00A320E3

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 51aa75ec95fbfb2a17f6e6f88b7b4bf8fb69ea548a1b5397194dd40f8b2ab1c8
Instruction ID: 9307b560e2bfbb5a727d4bf68968204168cbf2491b9fadc4f139f117826d673b
Opcode Fuzzy Hash: 51aa75ec95fbfb2a17f6e6f88b7b4bf8fb69ea548a1b5397194dd40f8b2ab1c8
Instruction Fuzzy Hash: E741B132A00200AFCB24DF78C981B5EB7B5EF89714F1545A9F616EB391DA31AD01CB80

Function 00A1912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00A19141
ScreenToClient.USER32(00000000,?), ref: 00A1915E
GetAsyncKeyState.USER32(00000001), ref: 00A19183
GetAsyncKeyState.USER32(00000002), ref: 00A1919D

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 975c824cd6f9ef9dea6a6bc2abe8cc918874c8423fa6aeda228ae07efa95c2e6
Instruction ID: 9fe5dfc5bb04af64d29e6c0b42b1bb7b2097e211f4e22a78cccaa8f43f7ad739
Opcode Fuzzy Hash: 975c824cd6f9ef9dea6a6bc2abe8cc918874c8423fa6aeda228ae07efa95c2e6
Instruction Fuzzy Hash: ED414075A0851ABBDF159F64D858BEEB7B4FB05324F204315E829A72E0C7306994CB51

Function 00A73874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00A738CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00A73922
TranslateMessage.USER32(?), ref: 00A7394B
DispatchMessageW.USER32(?), ref: 00A73955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A73966

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 5a23b7118d87c938faae469d00fa88637b92e6d3f675c216e35705c691bfcb2a
Instruction ID: 3fe6224245ae54e277d60265203044073d9b1059e34f9d90f2cbe8d2c3e930c0
Opcode Fuzzy Hash: 5a23b7118d87c938faae469d00fa88637b92e6d3f675c216e35705c691bfcb2a
Instruction Fuzzy Hash: E1312B72605341AEEF34CBB4DC68BB637E8AB05300F05C56ED56B86190D7F49686EB11

Function 00A7CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00A7C21E,00000000), ref: 00A7CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 00A7CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,00A7C21E,00000000), ref: 00A7CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,00A7C21E,00000000), ref: 00A7CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,00A7C21E,00000000), ref: 00A7CFF2

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 3a2b536e503d021ad0d1449e85b8702e64d45472a499f43a785c43fb0bc91ea5
Instruction ID: ae8368b4f7f968a5f652e233dc9e013dcff3a40c02d75068f1e213a9de152619
Opcode Fuzzy Hash: 3a2b536e503d021ad0d1449e85b8702e64d45472a499f43a785c43fb0bc91ea5
Instruction Fuzzy Hash: 77314871600705AFDB20DFA5DD84AABBBF9EB14365B10C42EF50AE2141DB30AE41DB60

Function 00A61901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00A61915
PostMessageW.USER32(00000001,00000201,00000001), ref: 00A619C1
Sleep.KERNEL32(00000000,?,?,?), ref: 00A619C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 00A619DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00A619E2

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 57d24810a7dc5f34c4adb251edb5ac1421e419cc1777f203c3c59c7b66c79d91
Instruction ID: 19e0d62a5a4ce8aa60570a2778015c84231e182a1991c92f8bd3154abaea5da3
Opcode Fuzzy Hash: 57d24810a7dc5f34c4adb251edb5ac1421e419cc1777f203c3c59c7b66c79d91
Instruction Fuzzy Hash: 1931C072A00219EFCB00CFA8CD99ADE3FB5EB04325F144229FA21A72D1C7709944CB90

Function 00A95706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00A95745
SendMessageW.USER32(?,00001074,?,00000001), ref: 00A9579D
_wcslen.LIBCMT ref: 00A957AF
_wcslen.LIBCMT ref: 00A957BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00A95816

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 4f240ba0b22478a0d3beb63253c0ac92dd810cc3c6818370fd74399a5fd5d25b
Instruction ID: aecf2d0006e03b38973ed860b6ac8e1ddf88e0f35c54996e9872a7509de3a3c3
Opcode Fuzzy Hash: 4f240ba0b22478a0d3beb63253c0ac92dd810cc3c6818370fd74399a5fd5d25b
Instruction Fuzzy Hash: 0021A271E04618AADF21CFB4DC86AEE77F9FF44720F108216E929EA180D7748A85CF50

Function 00A80930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00A80951
GetForegroundWindow.USER32 ref: 00A80968
GetDC.USER32(00000000), ref: 00A809A4
GetPixel.GDI32(00000000,?,00000003), ref: 00A809B0
ReleaseDC.USER32(00000000,00000003), ref: 00A809E8

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 821a1a98bb33742153dc60282c4341f53e893ce802705bd2b769512e961079ea
Instruction ID: 233b1afd734121e1934ced1394b2f107dd8970d34ec82aeb2bdf4bbbf5f5e8a5
Opcode Fuzzy Hash: 821a1a98bb33742153dc60282c4341f53e893ce802705bd2b769512e961079ea
Instruction Fuzzy Hash: 3D218135600204AFD714EFA9DD84EAEBBF5EF48710F048069E85A97362DB30AC45CB50

Function 00A3CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00A3CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00A3CDE9

Part of subcall function 00A33820: RtlAllocateHeap.NTDLL(00000000,?,00AD1444,?,00A1FDF5,?,?,00A0A976,00000010,00AD1440,00A013FC,?,00A013C6,?,00A01129), ref: 00A33852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00A3CE0F
_free.LIBCMT ref: 00A3CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00A3CE31

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: a3b82a15538bb5bd8d43a4bbf2c5440ea1e86f66b3b0f69b4c42e9ede9afc700
Instruction ID: 50fb3b615565c8cbd430db8defca39829d0824a78bc2a17be3297b72020f22d1
Opcode Fuzzy Hash: a3b82a15538bb5bd8d43a4bbf2c5440ea1e86f66b3b0f69b4c42e9ede9afc700
Instruction Fuzzy Hash: D301F7726016257FA32167B67C8CD7B796DDEC6FB1B25012AFD05E7201EE618D0283B0

Function 00A19639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00A19693
SelectObject.GDI32(?,00000000), ref: 00A196A2
BeginPath.GDI32(?), ref: 00A196B9
SelectObject.GDI32(?,00000000), ref: 00A196E2

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 27004e0414888d6abc86530aeb435d834778c0e5e056a9dacce424c35e6e3eb1
Instruction ID: 9c698bfe9f34a13daa270c2dc566a059126c62d7ae6a2cec38a95ba45a29e811
Opcode Fuzzy Hash: 27004e0414888d6abc86530aeb435d834778c0e5e056a9dacce424c35e6e3eb1
Instruction Fuzzy Hash: 16214F70902305FBDB11DFA4EC247EA3BB8BB50365F500217F832A61B1D7705896CBA5

Function 00A1990C Relevance: 7.6, APIs: 5, Instructions: 65COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00A198CC
SetTextColor.GDI32(?,?), ref: 00A198D6
SetBkMode.GDI32(?,00000001), ref: 00A198E9
GetStockObject.GDI32(00000005), ref: 00A198F1
GetWindowLongW.USER32(?,000000EB), ref: 00A19952

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Color$LongModeObjectStockTextWindow
String ID:
API String ID: 1860813098-0
Opcode ID: 890eb222ffb7741905a9437c7fb39b37de4fe70bcabcd83605233395aeb57fe4
Instruction ID: 2cf01ada42b638b18110af098a933ee82c89fba5cd25244bbde2929007e79930
Opcode Fuzzy Hash: 890eb222ffb7741905a9437c7fb39b37de4fe70bcabcd83605233395aeb57fe4
Instruction Fuzzy Hash: B9212731246250AFCB128F64EC64AEB3B70EF13771B18425EF9928E1B1CB314982CB51

Function 00A65711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00A65726
_memcmp.LIBVCRUNTIME ref: 00A65744
_memcmp.LIBVCRUNTIME ref: 00A65757
_memcmp.LIBVCRUNTIME ref: 00A6576F
_memcmp.LIBVCRUNTIME ref: 00A65787

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: bbf89b7803b0ca77f776078dd43f48cb7bf60019f4e54c7fbf6dc8c3a2a0ddb8
Instruction ID: 1ecb057d2465bf82627e3c1dda88e109bf2535628c7c7e6063a767060c298ddc
Opcode Fuzzy Hash: bbf89b7803b0ca77f776078dd43f48cb7bf60019f4e54c7fbf6dc8c3a2a0ddb8
Instruction Fuzzy Hash: 88015271B41619BE96089625AF82EBA63ADAB613A4F004831FD04AE641F661ED2082A5

Function 00A32DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00A2F2DE,00A33863,00AD1444,?,00A1FDF5,?,?,00A0A976,00000010,00AD1440,00A013FC,?,00A013C6), ref: 00A32DFD
_free.LIBCMT ref: 00A32E32
_free.LIBCMT ref: 00A32E59
SetLastError.KERNEL32(00000000,00A01129), ref: 00A32E66
SetLastError.KERNEL32(00000000,00A01129), ref: 00A32E6F

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 8bb39c4a74987f698f5e783a5ca2d2a86b9fc3a475f77c0e3ad59d901037f584
Instruction ID: 02732ed2f91cf8ed0c859eac605fe74d289a8f1124a06a4c54ecbbb08dae9366
Opcode Fuzzy Hash: 8bb39c4a74987f698f5e783a5ca2d2a86b9fc3a475f77c0e3ad59d901037f584
Instruction Fuzzy Hash: DA012832205A006BCA12A7B57D47F2B2E6DABD53B1F350129F425A32D2EF748C025320

Function 00A6000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00A5FF41,80070057,?,?,?,00A6035E), ref: 00A6002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00A5FF41,80070057,?,?), ref: 00A60046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00A5FF41,80070057,?,?), ref: 00A60054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00A5FF41,80070057,?), ref: 00A60064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00A5FF41,80070057,?,?), ref: 00A60070

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: ade3bee65eba24dbd44846da5440b2bf64a49b7cbdae1b46138551cbcfb3d409
Instruction ID: 101e40950ba63da1b79d5fbd3647a978cc2826e6341260cce97b4cc864b4cfe7
Opcode Fuzzy Hash: ade3bee65eba24dbd44846da5440b2bf64a49b7cbdae1b46138551cbcfb3d409
Instruction Fuzzy Hash: E9018B72600604BFDB118FA8DC08FAB7ABDEB447A2F158125F905D6210EBB1DD818BA0

Function 00A6E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00A6E997
QueryPerformanceFrequency.KERNEL32(?), ref: 00A6E9A5
Sleep.KERNEL32(00000000), ref: 00A6E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 00A6E9B7
Sleep.KERNEL32 ref: 00A6E9F3

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 721ca464ba7b5768199e9da42906bb25c9992d9e4108b1e5ca3136aa799ab292
Instruction ID: 0c535de7a9f2c8124ee1f653b8a194cafd24f80cbc26ccab5b3228fde1841dc2
Opcode Fuzzy Hash: 721ca464ba7b5768199e9da42906bb25c9992d9e4108b1e5ca3136aa799ab292
Instruction Fuzzy Hash: B5015736D01A29DBCF00EFE5DC59AEDFB78FF08B11F100646E502B2241CB3095528BA5

Function 00A610F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00A61114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00A60B9B,?,?,?), ref: 00A61120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00A60B9B,?,?,?), ref: 00A6112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00A60B9B,?,?,?), ref: 00A61136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00A6114D

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 827aad5ce8c368659ac53628999686e074eafdd5bddc494b2b8bf6e231062881
Instruction ID: c93e927c7b119286f0fcf53d5604c6e961f3c4db56427abd5c7b4303fb83be9d
Opcode Fuzzy Hash: 827aad5ce8c368659ac53628999686e074eafdd5bddc494b2b8bf6e231062881
Instruction Fuzzy Hash: 420169B5200605BFDB118FA4DC49A6A3F7EEF8A3A4B64441AFA41C7360DE31DC018A60

Function 00A60FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00A60FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00A60FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00A60FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00A60FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00A61002

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: a5108117ae5c986483bd943b3e472a7c3cea85ce6bc73156cb81550ffced509e
Instruction ID: 48363efb599037a27e54772bcd87541d64c2928b5bd66f3e292d6b60135ae1f5
Opcode Fuzzy Hash: a5108117ae5c986483bd943b3e472a7c3cea85ce6bc73156cb81550ffced509e
Instruction Fuzzy Hash: 70F04935200711ABDB218FA49C49F5A3FADEF89762F654426FA46C6261CE70DC418A70

Function 00A61014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00A6102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00A61036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00A61045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00A6104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00A61062

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 28041edd6ed666a572b58a96bd37f3b43cf006ce284cf74b432b86c2f911ea60
Instruction ID: a92120eac476aefc21a70bcefec27f2baab0b663cad73d2c597e6f6adb3cb1ef
Opcode Fuzzy Hash: 28041edd6ed666a572b58a96bd37f3b43cf006ce284cf74b432b86c2f911ea60
Instruction Fuzzy Hash: 58F04935200711ABDF219FA4EC49F5A3FADEF89761F650426FA45C6260CE70D8418AB0

Function 00A7030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00A7017D,?,00A732FC,?,00000001,00A42592,?), ref: 00A70324
CloseHandle.KERNEL32(?,?,?,?,00A7017D,?,00A732FC,?,00000001,00A42592,?), ref: 00A70331
CloseHandle.KERNEL32(?,?,?,?,00A7017D,?,00A732FC,?,00000001,00A42592,?), ref: 00A7033E
CloseHandle.KERNEL32(?,?,?,?,00A7017D,?,00A732FC,?,00000001,00A42592,?), ref: 00A7034B
CloseHandle.KERNEL32(?,?,?,?,00A7017D,?,00A732FC,?,00000001,00A42592,?), ref: 00A70358
CloseHandle.KERNEL32(?,?,?,?,00A7017D,?,00A732FC,?,00000001,00A42592,?), ref: 00A70365

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: d02aac1378304f555f90b72c956e5890753829a14f5232cb50eec266f908283d
Instruction ID: 2ce346ca514176ba4b860f85a8932369e058d0b492f785948d50bc46c5037c65
Opcode Fuzzy Hash: d02aac1378304f555f90b72c956e5890753829a14f5232cb50eec266f908283d
Instruction Fuzzy Hash: B6019C72800B15DFCB30AF66DC90812FBF9BE60215315CA3FD1AA96931C7B1A959CE80

Function 00A3D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00A3D752

Part of subcall function 00A329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00A3D7D1,00000000,00000000,00000000,00000000,?,00A3D7F8,00000000,00000007,00000000,?,00A3DBF5,00000000), ref: 00A329DE
Part of subcall function 00A329C8: GetLastError.KERNEL32(00000000,?,00A3D7D1,00000000,00000000,00000000,00000000,?,00A3D7F8,00000000,00000007,00000000,?,00A3DBF5,00000000,00000000), ref: 00A329F0

_free.LIBCMT ref: 00A3D764
_free.LIBCMT ref: 00A3D776
_free.LIBCMT ref: 00A3D788
_free.LIBCMT ref: 00A3D79A

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 11acaf5b7de7a1653807b6802720db3bffcf7393ae7b1615acbb408d5ea310c9
Instruction ID: 5914ccdffadc1f388180d3b5ec996becf0d32926e5a1719fb72451a6861c34c1
Opcode Fuzzy Hash: 11acaf5b7de7a1653807b6802720db3bffcf7393ae7b1615acbb408d5ea310c9
Instruction Fuzzy Hash: D5F0BD72545218EBC625EBA8FAC6E1A7BDDBB84720FA50C45F049E7552CB30FC818B64

Function 00A65C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00A65C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00A65C6F
MessageBeep.USER32(00000000), ref: 00A65C87
KillTimer.USER32(?,0000040A), ref: 00A65CA3
EndDialog.USER32(?,00000001), ref: 00A65CBD

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 36935781bf09d89d30cffed909284bd8b1547c3121cd9102e9055c6f75770468
Instruction ID: ad78c37a428a6b9068f2ca7eb53d9d7ab1e74e954ae45a28e89f573b2be2402f
Opcode Fuzzy Hash: 36935781bf09d89d30cffed909284bd8b1547c3121cd9102e9055c6f75770468
Instruction Fuzzy Hash: 1B018B30A00B049FEB245B60DD8EF9577B8BB01705F00155AA643A10E1DFF099458B50

Function 00A322A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00A322BE

Part of subcall function 00A329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00A3D7D1,00000000,00000000,00000000,00000000,?,00A3D7F8,00000000,00000007,00000000,?,00A3DBF5,00000000), ref: 00A329DE
Part of subcall function 00A329C8: GetLastError.KERNEL32(00000000,?,00A3D7D1,00000000,00000000,00000000,00000000,?,00A3D7F8,00000000,00000007,00000000,?,00A3DBF5,00000000,00000000), ref: 00A329F0

_free.LIBCMT ref: 00A322D0
_free.LIBCMT ref: 00A322E3
_free.LIBCMT ref: 00A322F4
_free.LIBCMT ref: 00A32305

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d3250012aabdab070aae5b9ab5debdeb7eee812627d2b8f310b72d8f4079918b
Instruction ID: f02410b43b5178ff8e66c782a0d38d1d91e25e92d5cec12cda54850322e63ad0
Opcode Fuzzy Hash: d3250012aabdab070aae5b9ab5debdeb7eee812627d2b8f310b72d8f4079918b
Instruction Fuzzy Hash: 07F0B7798021209BC612EFD8BD01F893B65F758761F16059BF416D62B1C7310953AFE4

Function 00A195C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00A195D4
StrokeAndFillPath.GDI32(?,?,00A571F7,00000000,?,?,?), ref: 00A195F0
SelectObject.GDI32(?,00000000), ref: 00A19603
DeleteObject.GDI32 ref: 00A19616
StrokePath.GDI32(?), ref: 00A19631

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: d7ffce62a8d8ccbaa6d61a554b0162bb9f2afc585d75de69b4fdda4713e5fe4b
Instruction ID: 2b3669a2b752de7f344ec0c9654288c248786406ab24ab36680bdc36f3c60a3a
Opcode Fuzzy Hash: d7ffce62a8d8ccbaa6d61a554b0162bb9f2afc585d75de69b4fdda4713e5fe4b
Instruction Fuzzy Hash: 7DF0EC31106604EBDB16DFA9ED2C7A53B65AB01332F548216F476550F1CB308997DF34

Function 00A30F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00A310F9
__freea.LIBCMT ref: 00A31117

Part of subcall function 00A31537: _free.LIBCMT ref: 00A3154F

Strings

a/p, xrefs: 00A311DE
am/pm, xrefs: 00A3117A

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 73840406fafde0dc17377e467b0cc9ce364f605d9ad369d8890b804b235c32fb
Instruction ID: cd281fbb3994b15fc40aa4804f9ab34a19ce65af5879f631bf62fd11189109aa
Opcode Fuzzy Hash: 73840406fafde0dc17377e467b0cc9ce364f605d9ad369d8890b804b235c32fb
Instruction Fuzzy Hash: A8D11471900206DBDB689F68C895BFEB7B1FF06700F28426AF941AF651D3759D80CB91

Function 00A87B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00A20242: EnterCriticalSection.KERNEL32(00AD070C,00AD1884,?,?,00A1198B,00AD2518,?,?,?,00A012F9,00000000), ref: 00A2024D
Part of subcall function 00A20242: LeaveCriticalSection.KERNEL32(00AD070C,?,00A1198B,00AD2518,?,?,?,00A012F9,00000000), ref: 00A2028A

Part of subcall function 00A09CB3: _wcslen.LIBCMT ref: 00A09CBD

Part of subcall function 00A200A3: __onexit.LIBCMT ref: 00A200A9

__Init_thread_footer.LIBCMT ref: 00A87BFB

Part of subcall function 00A201F8: EnterCriticalSection.KERNEL32(00AD070C,?,?,00A18747,00AD2514), ref: 00A20202
Part of subcall function 00A201F8: LeaveCriticalSection.KERNEL32(00AD070C,?,00A18747,00AD2514), ref: 00A20235

Strings

5, xrefs: 00A87C78
Variable must be of type 'Object'., xrefs: 00A87C3A
G, xrefs: 00A87C7F

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: 21b4996c7ad196053ff45efce0a00889de1b0b2958553059952795c6575c385a
Instruction ID: 2510798b9498510f7d3bf591157fa69323f27f341310f3f2a807cf1c4e80e0b8
Opcode Fuzzy Hash: 21b4996c7ad196053ff45efce0a00889de1b0b2958553059952795c6575c385a
Instruction Fuzzy Hash: 2B915875A04209EFCB14EF98D991DADB7B2FF48304F248059F806AB292DB71EE45CB51

Function 00A62716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A6B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00A621D0,?,?,00000034,00000800,?,00000034), ref: 00A6B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00A62760

Part of subcall function 00A6B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00A621FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00A6B3F8

Part of subcall function 00A6B32A: GetWindowThreadProcessId.USER32(?,?), ref: 00A6B355
Part of subcall function 00A6B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00A62194,00000034,?,?,00001004,00000000,00000000), ref: 00A6B365
Part of subcall function 00A6B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00A62194,00000034,?,?,00001004,00000000,00000000), ref: 00A6B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00A627CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00A6281A

Strings

@, xrefs: 00A62832

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 415b2211b50bcfd51d57b13d73f229afced8b093e7a471f9821b567a52cff02e
Instruction ID: 8a871380b80e17aff9cc5f2d6ea7e1cc2413c2487f95069e100bdf134c96d582
Opcode Fuzzy Hash: 415b2211b50bcfd51d57b13d73f229afced8b093e7a471f9821b567a52cff02e
Instruction Fuzzy Hash: AC41FB76A00218AFDB10DFA4CD46FEEBBB8AF09700F108055FA55B7181DB706E85DBA1

Function 00A3172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00A31769
_free.LIBCMT ref: 00A31834
_free.LIBCMT ref: 00A3183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00A31760, 00A31767, 00A31796, 00A317CE

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-4010620828
Opcode ID: 4209abaa02aec1b45911df0bafa7710eb53cebce6109b0f7ef0efc8f6d477051
Instruction ID: 6ed037ce93f42389936c587309eb988de3bad39b56ab3eb5b9e6e1d6778e5b85
Opcode Fuzzy Hash: 4209abaa02aec1b45911df0bafa7710eb53cebce6109b0f7ef0efc8f6d477051
Instruction Fuzzy Hash: 13316975A01218FFDB21DB999D85E9EBBFCEB85310F1441ABF80597211DA708E41CBA4

Function 00A6C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00A6C306
DeleteMenu.USER32(?,00000007,00000000), ref: 00A6C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00AD1990,00F55060), ref: 00A6C395

Strings

0, xrefs: 00A6C2DF

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: b87cf487f839a2397bb42db136ba51dcedab373d97ec8ef81d35f193824ada58
Instruction ID: 1d2c24a4f65a41b64c593825230d5596344490ca0b2d25c834dfc2f6f8b770c2
Opcode Fuzzy Hash: b87cf487f839a2397bb42db136ba51dcedab373d97ec8ef81d35f193824ada58
Instruction Fuzzy Hash: 59419E712043019FD720DF29D884B6ABBF8AF85320F148A1EF9A59B3D1D730E904CB62

Function 00A94416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00A9CC08,00000000,?,?,?,?), ref: 00A944AA
GetWindowLongW.USER32 ref: 00A944C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00A944D7

Strings

SysTreeView32, xrefs: 00A9447C

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: b85c0681b3afc41f6a6d06a708dd106286bee74302504c58ab522cde607d2c61
Instruction ID: ad98061aa46175b343176c5698db15c4625965c0ffcb8bfea93ea13696cf65b6
Opcode Fuzzy Hash: b85c0681b3afc41f6a6d06a708dd106286bee74302504c58ab522cde607d2c61
Instruction Fuzzy Hash: 58317A32210605ABDF208F78DC45FEA7BE9EB48334F214719F979A21E0DB70AC529B50

Function 00A8304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00A8335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00A83077,?,?), ref: 00A83378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00A8307A
_wcslen.LIBCMT ref: 00A8309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00A83106

Strings

255.255.255.255, xrefs: 00A83095, 00A8309A

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 2d393be148fdc0cf275aea9f6a43e76078b55b719c9c48449524c4f18f57db1c
Instruction ID: 2fbd8e8bb7806d652f2a0c437a82209548d481bbd0e5c0025a87d3e44a4f4742
Opcode Fuzzy Hash: 2d393be148fdc0cf275aea9f6a43e76078b55b719c9c48449524c4f18f57db1c
Instruction Fuzzy Hash: 4931C1366042059FCF10EF68C585EAA77F0EF14B18F248159E9168B392DB72EE46C761

Function 00A93EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00A93F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00A93F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00A93F78

Strings

SysMonthCal32, xrefs: 00A93F0B

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 4b4ce78f02cb80ce3db970d549cff52d4b21e6453a66683d90190058aff6ab92
Instruction ID: 23c7b2c9e904510fe47af9bd59a399524ee5f25fe2873eb90079efc6be6aefb5
Opcode Fuzzy Hash: 4b4ce78f02cb80ce3db970d549cff52d4b21e6453a66683d90190058aff6ab92
Instruction Fuzzy Hash: 72219C33600219BFDF25CF90DC46FEA3BB9EF48724F110215FA156B1D0DAB5A9518BA0

Function 00A94653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00A94705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00A94713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00A9471A

Strings

msctls_updown32, xrefs: 00A94684

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: ba5509ccd8293b392ef94c02cb7823784de45c0fddb21ac502a2be9021f5e725
Instruction ID: 70f640599521648f0af704305768db8a84987f178316afef62210d3249cac9a4
Opcode Fuzzy Hash: ba5509ccd8293b392ef94c02cb7823784de45c0fddb21ac502a2be9021f5e725
Instruction Fuzzy Hash: 7E214FB5600208AFEB10DFA4DCD1DBA37EDEB5E3A4B140459F6019B251DB30EC12CA60

Function 00A695AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00A6961D

Strings

#requireadmin, xrefs: 00A695D9
#notrayicon, xrefs: 00A695B7
#OnAutoItStartRegister, xrefs: 00A695F3

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: f6f5d2d888c6fe4ea01c17f4f87715497e4447cba120e340b773eb98b4785164
Instruction ID: 8a0486762c77c3b463b330839c3a44260908aeaca6540bad24659868cfa8e74c
Opcode Fuzzy Hash: f6f5d2d888c6fe4ea01c17f4f87715497e4447cba120e340b773eb98b4785164
Instruction Fuzzy Hash: 9B215B722046206AD731AB28ED02FBB73FCAF51300F14443AFA4AD7081EB75ED45C295

Function 00A937B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00A93840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00A93850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00A93876

Strings

Listbox, xrefs: 00A9380F

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 7ff2a2411d93153ec00a9d30416b5dd6f73762dc9157b0bb352e017942eca107
Instruction ID: dd5a93cb1cbb14b1ffd61714656b4781739701b1cb31cee2af987992adf4a54d
Opcode Fuzzy Hash: 7ff2a2411d93153ec00a9d30416b5dd6f73762dc9157b0bb352e017942eca107
Instruction Fuzzy Hash: D4217C72710218BBEF21CF94DC85EBB37BAEF89764F118125F9059B190CA759C528BA0

Function 00A749F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00A74A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00A74A5C
SetErrorMode.KERNEL32(00000000,?,?,00A9CC08), ref: 00A74AD0

Strings

%lu, xrefs: 00A74A6F

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 08a0922a6dbc3fd6b1495173065623087dd19d82ff46ecc6a444b9cfbb7a7b61
Instruction ID: 0e1c3368cdd011cbe6bc4e85aaa4b943d4ac78d0fd99b0fc5fb5dc60358c1776
Opcode Fuzzy Hash: 08a0922a6dbc3fd6b1495173065623087dd19d82ff46ecc6a444b9cfbb7a7b61
Instruction Fuzzy Hash: CA315175A00109AFDB10DF54C985EAA7BF8EF08318F1480A9F909DB252DB71ED46CB61

Function 00A941EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00A9424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00A94264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00A94271

Strings

msctls_trackbar32, xrefs: 00A94226

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: c0a7ec35a6625d3a2aa8a3945d4016a26ec4aa49ea7284357f69b44ef445ffe8
Instruction ID: 130f0d428032cd200bf0079079ddefeaee6e81916992833f79fa82cb686cdf3f
Opcode Fuzzy Hash: c0a7ec35a6625d3a2aa8a3945d4016a26ec4aa49ea7284357f69b44ef445ffe8
Instruction Fuzzy Hash: C611E332340208BEEF209F69CC06FEB3BECEF89B64F110524FA55E6090D671D8529B20

Function 00A62F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A06B57: _wcslen.LIBCMT ref: 00A06B6A

Part of subcall function 00A62DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00A62DC5
Part of subcall function 00A62DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00A62DD6
Part of subcall function 00A62DA7: GetCurrentThreadId.KERNEL32 ref: 00A62DDD
Part of subcall function 00A62DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00A62DE4

GetFocus.USER32 ref: 00A62F78

Part of subcall function 00A62DEE: GetParent.USER32(00000000), ref: 00A62DF9

GetClassNameW.USER32(?,?,00000100), ref: 00A62FC3
EnumChildWindows.USER32(?,00A6303B), ref: 00A62FEB

Strings

%s%d, xrefs: 00A62FFF

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: addf90b2b4ec69954d5e5a0ab61fd31ef51b5ebfff6eba8800cfd01ce1ba8a53
Instruction ID: 1c92905ed93d921659e44adfa316d681e9fa1eeeab33e1723525e6311e2e87e3
Opcode Fuzzy Hash: addf90b2b4ec69954d5e5a0ab61fd31ef51b5ebfff6eba8800cfd01ce1ba8a53
Instruction Fuzzy Hash: DA11A2B6700209ABDF14BF70DD85FED377AAF94314F048075F9099B192DE309A4A8B60

Function 00A95882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00A958C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00A958EE
DrawMenuBar.USER32(?), ref: 00A958FD

Strings

0, xrefs: 00A9588F

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 1c2ce9c91bf7bd593350c00a49984d8424cd42a3acdb0e0f7bc0f0c96dae3433
Instruction ID: ccaaa1db9dc0a86f5089388acde202d60577553597a15f5efaec2ef940d51f99
Opcode Fuzzy Hash: 1c2ce9c91bf7bd593350c00a49984d8424cd42a3acdb0e0f7bc0f0c96dae3433
Instruction Fuzzy Hash: F4016D31A00218EFDF229F61DC45BAEBBF5FB45760F10809AE849D6151DB308A84DF21

Function 00A5D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 00A5D3BF
FreeLibrary.KERNEL32 ref: 00A5D3E5

Strings

GetSystemWow64DirectoryW, xrefs: 00A5D3B9
X64, xrefs: 00A5D2A8

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 8e1b97ad67c44b68ab9271633eea0f70f9719315e563c5d71f448c495ee179e0
Instruction ID: 3e0bc4b28803f2c5a4e62c4305db1691dd366971bda1c3f12bc4add7b3399a46
Opcode Fuzzy Hash: 8e1b97ad67c44b68ab9271633eea0f70f9719315e563c5d71f448c495ee179e0
Instruction Fuzzy Hash: 6AF0E571505B11ABD77597108C489EE7228BF10B23F60865AF817E90A9EB70C98DCA96

Function 00A6007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ad85870cc57afa6e3b587c4744a946066665b0c3e05d7c7101ee776c1de0fd8
Instruction ID: e3892496e0f569dd0b6dc0aa060ca441b1b77012305eb2f02b29669e83064dcf
Opcode Fuzzy Hash: 5ad85870cc57afa6e3b587c4744a946066665b0c3e05d7c7101ee776c1de0fd8
Instruction Fuzzy Hash: 7DC13975A00206AFDB14CFA8C894EAEB7B5FF48705F218598E505EB251D731ED81DB90

Function 00A33E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00A33F0B
__alldvrm.LIBCMT ref: 00A3410C
__alldvrm.LIBCMT ref: 00A3412E

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: e4ba6f93ce5a0463b3f3cd73c573b03e9f2f1e66cbeff6967112049be19d41cc
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 7DA17B76E047869FEB15CF18C8917AEBBF4EF6A350F14426DF5859B281C238AD81C750

Function 00A8342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00A83459
CoUninitialize.OLE32 ref: 00A83463
VariantInit.OLEAUT32(?), ref: 00A8346E
VariantClear.OLEAUT32(?), ref: 00A8371B

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 25c6724642342a827d8f99de94794a545ade0c927cc6d49766c4a9a5f340b81f
Instruction ID: f9d5b3b2e1ab812649d46dd2993dad83b3175ab8fc03f764c287b3c8ed89c98a
Opcode Fuzzy Hash: 25c6724642342a827d8f99de94794a545ade0c927cc6d49766c4a9a5f340b81f
Instruction Fuzzy Hash: 61A12A756046059FCB00EF28D985A6EB7E5FF88714F048859F98A9B3A2DB30FE41CB51

Function 00A60436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00A9FC08,?), ref: 00A605F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00A9FC08,?), ref: 00A60608
CLSIDFromProgID.OLE32(?,?,00000000,00A9CC40,000000FF,?,00000000,00000800,00000000,?,00A9FC08,?), ref: 00A6062D
_memcmp.LIBVCRUNTIME ref: 00A6064E

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 93c8cc8a7a66f0ad2cbed3d9a7f84331e6f6a7c1b4f02bc85692fd523e2a884e
Instruction ID: fdbdbfc71cd92c76ff6cc31a4e6030f2eaf5200566bba6b1f5e8d1205842d62b
Opcode Fuzzy Hash: 93c8cc8a7a66f0ad2cbed3d9a7f84331e6f6a7c1b4f02bc85692fd523e2a884e
Instruction Fuzzy Hash: CC81FC75A00109EFCB04DF98C984DEEB7B9FF89315F208558E516EB250DB71AE46CB60

Function 00A8A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00A8A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 00A8A6BA

Part of subcall function 00A09CB3: _wcslen.LIBCMT ref: 00A09CBD

Process32NextW.KERNEL32(00000000,?), ref: 00A8A79C
CloseHandle.KERNEL32(00000000), ref: 00A8A7AB

Part of subcall function 00A1CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00A43303,?), ref: 00A1CE8A

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: e2c29e6a253e8deb10cdd8df6951e1cd1394f48bc80ba30dd7f930c07a8f0cc7
Instruction ID: 10ded8debbe23b955548c8c944144f0a17a21e55bdefc93f5516a5e096a9d08e
Opcode Fuzzy Hash: e2c29e6a253e8deb10cdd8df6951e1cd1394f48bc80ba30dd7f930c07a8f0cc7
Instruction Fuzzy Hash: FC516E71508304AFD710EF24D986E6BBBE8FF89754F00891DF58597292EB70D904CBA2

Function 00A41391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00A414C0

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: c37f55f8bc5d4601c96c35d28699c34d172b98c59c342ee5b7e14d7696386eef
Instruction ID: b3dc3f48c987576ec0cf77331aeabc05e26814b51d638437ed281b6b41237326
Opcode Fuzzy Hash: c37f55f8bc5d4601c96c35d28699c34d172b98c59c342ee5b7e14d7696386eef
Instruction Fuzzy Hash: E0412A7DA00610ABDB216BFDAD45AFE3AB4EFC2370F244235F419D6192E77488C15762

Function 00A96278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00A962E2
ScreenToClient.USER32(?,?), ref: 00A96315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00A96382

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 9d78816722b908c125012c8e6b3655ebaa1d9ed8a71ea8c86b62eabcd29cc442
Instruction ID: 70dfaea26173251af31a02e06d303e5b4f5766ae706635927f8b01352241a012
Opcode Fuzzy Hash: 9d78816722b908c125012c8e6b3655ebaa1d9ed8a71ea8c86b62eabcd29cc442
Instruction Fuzzy Hash: D0510974A00609AFDF10DF68D990AAE7BF5FF45360F10816AF9159B2A0D730ED81CB50

Function 00A81AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00A81AFD
WSAGetLastError.WSOCK32 ref: 00A81B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00A81B8A
WSAGetLastError.WSOCK32 ref: 00A81B94

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 85d4b70cfdc19a707b37f65e4eb8aba7b6d3f4ca571e1f1624d9472e9b227834
Instruction ID: 66e92313d8244516832a3bbd82a85fc6ce0e5b3e85214ad6aeb01256e8bbd674
Opcode Fuzzy Hash: 85d4b70cfdc19a707b37f65e4eb8aba7b6d3f4ca571e1f1624d9472e9b227834
Instruction Fuzzy Hash: 7341A374600200AFE720AF24D98AF6977E5AB44718F54C458F91A9F3D2D772ED82CB91

Function 00A3B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ae5853dac9e95d8dba1a3276954053d069ccd100ae81bb0eb500e958c948b00
Instruction ID: 56dc2a340804991cb1435386430d439ab64d6a75e7858538af876835d3b737a5
Opcode Fuzzy Hash: 5ae5853dac9e95d8dba1a3276954053d069ccd100ae81bb0eb500e958c948b00
Instruction Fuzzy Hash: 63412B75A10314BFD7249F38CD42BAABBFAEB84710F10853EF252DB281D771994187A0

Function 00A756D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00A75783
GetLastError.KERNEL32(?,00000000), ref: 00A757A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00A757CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00A757FA

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 67428ccb80cc1b630a0ad1f2e2d55bd0a4695794fea8142056791096625c9745
Instruction ID: a536b3671b694a8451a87abbbcdd1527a04bba71a9b952990ec6824adb5ea0d7
Opcode Fuzzy Hash: 67428ccb80cc1b630a0ad1f2e2d55bd0a4695794fea8142056791096625c9745
Instruction Fuzzy Hash: 12414F35A00A14DFCB11EF55D944A5EBBF1EF49720B19C888E84A5B3A2CB70FD41DB91

Function 00A3D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00A26D71,00000000,00000000,00A282D9,?,00A282D9,?,00000001,00A26D71,8BE85006,00000001,00A282D9,00A282D9), ref: 00A3D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00A3D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00A3D9AB
__freea.LIBCMT ref: 00A3D9B4

Part of subcall function 00A33820: RtlAllocateHeap.NTDLL(00000000,?,00AD1444,?,00A1FDF5,?,?,00A0A976,00000010,00AD1440,00A013FC,?,00A013C6,?,00A01129), ref: 00A33852

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 9ade8d59299ca06fc4b628d6080416825238dbcec312a4d1a3f5e323e356929c
Instruction ID: fc7082a5b94228e8965369d3712b9ffd3d0e933645fd8520a3f4cdb8e633796e
Opcode Fuzzy Hash: 9ade8d59299ca06fc4b628d6080416825238dbcec312a4d1a3f5e323e356929c
Instruction Fuzzy Hash: 2F31BC72A0021AEBDF25DFA4EC41EAE7BA5EB44310F154269FC04DB251EB35DD51CBA0

Function 00A952C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00A95352
GetWindowLongW.USER32(?,000000F0), ref: 00A95375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00A95382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00A953A8

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: f5be4d647af11bd4e184904dfaf4a463dfbbe3feb550f9cef889f4e482a14a09
Instruction ID: e3eb6a4d2ca9f0860873e324a9ad0f3a28d338196ef315c7bd2515f17310425a
Opcode Fuzzy Hash: f5be4d647af11bd4e184904dfaf4a463dfbbe3feb550f9cef889f4e482a14a09
Instruction Fuzzy Hash: 0B31CF34F55A08EFEF269B74CC27BEA37E1AB05390F584102FA119E1E1C7B49981AB51

Function 00A6AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 00A6ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 00A6AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 00A6AC74
SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 00A6ACC6

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: d0244d0ac1c2524d6238e54089e4452392770926d5823c0739f04dc9f8fe4c3c
Instruction ID: 62b3a8d7908f202137ecc12ec63a8b297a74949c81760e7e99cee8cccb4bebb2
Opcode Fuzzy Hash: d0244d0ac1c2524d6238e54089e4452392770926d5823c0739f04dc9f8fe4c3c
Instruction Fuzzy Hash: 33310730A407186FEF35CBA58C047FA7BB5ABA9320F04431AE485A21D1C375D9859B62

Function 00A97674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00A9769A
GetWindowRect.USER32(?,?), ref: 00A97710
PtInRect.USER32(?,?,00A98B89), ref: 00A97720
MessageBeep.USER32(00000000), ref: 00A9778C

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 6642214b9bf0a863595573da8159540885153cf96ed73e229fc873a66d140684
Instruction ID: aa02ba317f2afa804dc0ce849402296cf78eb24336563cf666c9eacb08587e2a
Opcode Fuzzy Hash: 6642214b9bf0a863595573da8159540885153cf96ed73e229fc873a66d140684
Instruction Fuzzy Hash: 35415A38B19214EFCF11CFE8C894EADB7F5BB49314F1541A9E9159B261C730A942CBA0

Function 00A916DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00A916EB

Part of subcall function 00A63A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00A63A57
Part of subcall function 00A63A3D: GetCurrentThreadId.KERNEL32 ref: 00A63A5E
Part of subcall function 00A63A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00A625B3), ref: 00A63A65

GetCaretPos.USER32(?), ref: 00A916FF
ClientToScreen.USER32(00000000,?), ref: 00A9174C
GetForegroundWindow.USER32 ref: 00A91752

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: b17ffcd40d5e0f34b1e1b46c16120c911f1217cd1907326e03bc2c10b1a5c514
Instruction ID: b532e3ae10db4b79e6ac1f5954bf4356c2da10468d60f0e269928786ce069e15
Opcode Fuzzy Hash: b17ffcd40d5e0f34b1e1b46c16120c911f1217cd1907326e03bc2c10b1a5c514
Instruction Fuzzy Hash: 6B315275E00249AFDB00EFA9D981CAEB7F9EF48314B5080AAE415E7251DB319E45CFA1

Function 00A6DF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00A07620: _wcslen.LIBCMT ref: 00A07625

_wcslen.LIBCMT ref: 00A6DFCB
_wcslen.LIBCMT ref: 00A6DFE2
_wcslen.LIBCMT ref: 00A6E00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00A6E018

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: 860c4a969eb7439eaa79a8b5057ddbb33c59ef4ca0f78fabf93343cf5ddc0433
Instruction ID: 7aa7aa68f512c11aa0f6aab1b7dae607395a1d254b29b50424d67711c20932e1
Opcode Fuzzy Hash: 860c4a969eb7439eaa79a8b5057ddbb33c59ef4ca0f78fabf93343cf5ddc0433
Instruction Fuzzy Hash: 8021E275D40224EFCB20DFA8DA81BAEB7F8EF45750F104065E815BB282D7B09E41CBA1

Function 00A98FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A19BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A19BB2

GetCursorPos.USER32(?), ref: 00A99001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00A57711,?,?,?,?,?), ref: 00A99016
GetCursorPos.USER32(?), ref: 00A9905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00A57711,?,?,?), ref: 00A99094

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 3de18ef9cbff504741503718347bc13af9c2cc1c2b2e97478dd4bf2b97d0e417
Instruction ID: 20aea0447ba11c8277fcae55f73d83dfb352a3388cc37959c0522ef772f00b79
Opcode Fuzzy Hash: 3de18ef9cbff504741503718347bc13af9c2cc1c2b2e97478dd4bf2b97d0e417
Instruction Fuzzy Hash: 9E217C35700018BFCF25CF99C898EEB7BF9EB49360F04405AF9154B261C73299A1DB61

Function 00A6D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00A9CB68), ref: 00A6D2FB
GetLastError.KERNEL32 ref: 00A6D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 00A6D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00A9CB68), ref: 00A6D376

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 70d962cad9fcce28acbf39d4243ac63aaa93670cfde9f9e3dd47170efa041a19
Instruction ID: 3c355c4f701615430c84a7ab6e0c834d24d924b7e4d9b138181ce6e82f1f2a6b
Opcode Fuzzy Hash: 70d962cad9fcce28acbf39d4243ac63aaa93670cfde9f9e3dd47170efa041a19
Instruction Fuzzy Hash: 9C219170A042019FC710EF64D9818AB77F4AE553A4F504A1DF499DB3E1EB30D946CB93

Function 00A61571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A61014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00A6102A
Part of subcall function 00A61014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00A61036
Part of subcall function 00A61014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00A61045
Part of subcall function 00A61014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00A6104C
Part of subcall function 00A61014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00A61062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00A615BE
_memcmp.LIBVCRUNTIME ref: 00A615E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A61617
HeapFree.KERNEL32(00000000), ref: 00A6161E

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 84b9c478402aaa14b5953865d4dfccd14cff27071ffff2a000302e39f034bb9d
Instruction ID: 5b063b117d0ba403d629cc94f3d33bc172f8243844f2574b57cea977cdefa101
Opcode Fuzzy Hash: 84b9c478402aaa14b5953865d4dfccd14cff27071ffff2a000302e39f034bb9d
Instruction Fuzzy Hash: 7F217C75E00109EFDF10DFA8C945BEEBBB8EF44354F194459E441AB241EB70AA05CBA0

Function 00A92782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00A9280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00A92824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00A92832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00A92840

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 225e7e0d709b5f5a52ef4be5b39046ab1e296b738a08a15304ee7f3914540e97
Instruction ID: a61e797f736fbd29800a2e60e8ec58d47e1f029baae5308bc3fc4a15cdf40138
Opcode Fuzzy Hash: 225e7e0d709b5f5a52ef4be5b39046ab1e296b738a08a15304ee7f3914540e97
Instruction Fuzzy Hash: A021BD31304511BFDB14DB24CC44FAA7BA5AF85324F148259F42A8B6E2CB71FC82CBA0

Function 00A678F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00A68D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00A6790A,?,000000FF,?,00A68754,00000000,?,0000001C,?,?), ref: 00A68D8C
Part of subcall function 00A68D7D: lstrcpyW.KERNEL32(00000000,?,?,00A6790A,?,000000FF,?,00A68754,00000000,?,0000001C,?,?,00000000), ref: 00A68DB2
Part of subcall function 00A68D7D: lstrcmpiW.KERNEL32(00000000,?,00A6790A,?,000000FF,?,00A68754,00000000,?,0000001C,?,?), ref: 00A68DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00A68754,00000000,?,0000001C,?,?,00000000), ref: 00A67923
lstrcpyW.KERNEL32(00000000,?,?,00A68754,00000000,?,0000001C,?,?,00000000), ref: 00A67949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00A68754,00000000,?,0000001C,?,?,00000000), ref: 00A67984

Strings

cdecl, xrefs: 00A6797B

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 2f92461caed93758edab2e48eb18f3512365219bc8009798d13240f2983d1350
Instruction ID: ded635a6ca30a101a1a784ee240d98b6f22fe1eb600ef95c8d88e2a21a65e8ac
Opcode Fuzzy Hash: 2f92461caed93758edab2e48eb18f3512365219bc8009798d13240f2983d1350
Instruction Fuzzy Hash: 5711003A200242AFCB159F38C844E7A77F9FF85394B50802AF806CB2A4EF319801C7A1

Function 00A97CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00A97D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00A97D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00A97D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00A7B7AD,00000000), ref: 00A97D6B

Part of subcall function 00A19BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A19BB2

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 4a750c39ef7c5e49b809463c7a6a83ee08ec36413fa036fad23b41d4a56adf6d
Instruction ID: c1f45890f2c7300521bf29f303e43146e691e7c5002edcaa4059b94f0a99286f
Opcode Fuzzy Hash: 4a750c39ef7c5e49b809463c7a6a83ee08ec36413fa036fad23b41d4a56adf6d
Instruction Fuzzy Hash: DA118C71629615AFCF10DFA8DC04AAA3BA5AF45360F154725F83AC72E0DB309D52CB60

Function 00A95660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 00A956BB
_wcslen.LIBCMT ref: 00A956CD
_wcslen.LIBCMT ref: 00A956D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00A95816

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 717837b78b7917a35b2c26fc86f816d45a01bfce8d97bc27fab4a3752ebab88c
Instruction ID: f9849cae54a6c2da4ff746e8c473e0dd67ec79a074e0887908ac195fc10d87df
Opcode Fuzzy Hash: 717837b78b7917a35b2c26fc86f816d45a01bfce8d97bc27fab4a3752ebab88c
Instruction Fuzzy Hash: 4F11B471F00614A6DF21DFB5DC86AEE77FCAF51760B108026FA15D6081EB748980CBA0

Function 00A31D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f1832179f30c2399cc3dd5e2af1c6d1ba1d99498cc162afe0a26a0c550b7431
Instruction ID: 704e0c0c1b95bbc3082a5883ac81292c889c59924bde492f772cd57c1869fcb2
Opcode Fuzzy Hash: 2f1832179f30c2399cc3dd5e2af1c6d1ba1d99498cc162afe0a26a0c550b7431
Instruction Fuzzy Hash: DD0181B2209A167EF6212BB87CC1F67676DDF867F8F340326F521A11D2DB609C015170

Function 00A61A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00A61A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00A61A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00A61A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00A61A8A

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: a5c3c5ba7c4403a3a18d071a11db5d69cd89882d12b41d7b47c4bee37e627cd1
Instruction ID: 0838ec502c51af8115628b08a327a16e43c778add029afcf7191a5d863c3aab1
Opcode Fuzzy Hash: a5c3c5ba7c4403a3a18d071a11db5d69cd89882d12b41d7b47c4bee37e627cd1
Instruction Fuzzy Hash: 9E11393AD01219FFEB11DBE4CD85FADBB78EB18750F240492EA04B7290D6716E50DB94

Function 00A6E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00A6E1FD
MessageBoxW.USER32(?,?,?,?), ref: 00A6E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00A6E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00A6E24D

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: b81b14355c4ea47698bb2db0ab543e830cbb9c1cf786af9b638cfb671b4eb106
Instruction ID: bad64b993f77ba0c665a92f7932e90dff94dc29d8516185a4c777fba1e08d44f
Opcode Fuzzy Hash: b81b14355c4ea47698bb2db0ab543e830cbb9c1cf786af9b638cfb671b4eb106
Instruction Fuzzy Hash: 2711C876A04254BBCB01DBF89C09ADE7FBDAB45320F144256F915D7291D6708A0587A0

Function 00A2D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00A2CFF9,00000000,00000004,00000000), ref: 00A2D218
GetLastError.KERNEL32 ref: 00A2D224
__dosmaperr.LIBCMT ref: 00A2D22B
ResumeThread.KERNEL32(00000000), ref: 00A2D249

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: ccdcfb598d3d85f1f526ed754ff33a381746c55d24537d5f1cf410e15142eccf
Instruction ID: d516fa80b8a16416c6d950ec6e02992b4ac817a143e477a42a7a65731d95630d
Opcode Fuzzy Hash: ccdcfb598d3d85f1f526ed754ff33a381746c55d24537d5f1cf410e15142eccf
Instruction Fuzzy Hash: 5F01C436505224BBDB115BA9EC09BEE7A69EF81730F100239F925961D1CF708901C7A0

Function 00A99EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00A19BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A19BB2

GetClientRect.USER32(?,?), ref: 00A99F31
GetCursorPos.USER32(?), ref: 00A99F3B
ScreenToClient.USER32(?,?), ref: 00A99F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00A99F7A

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 297db2bf5a6fd24f7e61036112a50c94e252e99ec44eccb9a654a0bca11998d1
Instruction ID: bb887d0305ca1a4610ff749f6a2a801d5ae562f3a2e04cd9e9b0e6ee01c40eb3
Opcode Fuzzy Hash: 297db2bf5a6fd24f7e61036112a50c94e252e99ec44eccb9a654a0bca11998d1
Instruction Fuzzy Hash: D0111532A0051ABBDF10DFA8D9899EFB7B9FB45311F40045AF912E7150D730BA82CBA1

Function 00A0600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00A0604C
GetStockObject.GDI32(00000011), ref: 00A06060
SendMessageW.USER32(00000000,00000030,00000000), ref: 00A0606A

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 9f271e7405eabcd8c9c018798e264111ceccc90dec8a77450d4ad7a3142d8c87
Instruction ID: c5f4279b20ae61f99206132607e56f8a80bd990dfca8606b35ab37651e7c6e33
Opcode Fuzzy Hash: 9f271e7405eabcd8c9c018798e264111ceccc90dec8a77450d4ad7a3142d8c87
Instruction Fuzzy Hash: B611A17250150CBFEF128FD4DC44EEA7B69EF08369F044202FA0452050DB329C60DBA0

Function 00A23B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00A23B56

Part of subcall function 00A23AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00A23AD2
Part of subcall function 00A23AA3: ___AdjustPointer.LIBCMT ref: 00A23AED

_UnwindNestedFrames.LIBCMT ref: 00A23B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00A23B7C
CallCatchBlock.LIBVCRUNTIME ref: 00A23BA4

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 8004581a8a9123efcf5f816695b88dba15a0dd6c0c554cb52267a06c14b5db80
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: D4012933100158BBDF126F9AED42EEB3F6AEF49754F044024FE4856121C736E961DBA0

Function 00A33073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00A013C6,00000000,00000000,?,00A3301A,00A013C6,00000000,00000000,00000000,?,00A3328B,00000006,FlsSetValue), ref: 00A330A5
GetLastError.KERNEL32(?,00A3301A,00A013C6,00000000,00000000,00000000,?,00A3328B,00000006,FlsSetValue,00AA2290,FlsSetValue,00000000,00000364,?,00A32E46), ref: 00A330B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00A3301A,00A013C6,00000000,00000000,00000000,?,00A3328B,00000006,FlsSetValue,00AA2290,FlsSetValue,00000000), ref: 00A330BF

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 69c24edae25213b735c8e73c2e25fe67b29fd1645ffae57cc23df21de1963667
Instruction ID: 0714ef217ff92d95fd1d19af37316fa52c361908b8511d39bd83cf447ce1d3ed
Opcode Fuzzy Hash: 69c24edae25213b735c8e73c2e25fe67b29fd1645ffae57cc23df21de1963667
Instruction Fuzzy Hash: 1D01AC33749732ABCF358BB9AC44A5777989F46771F210621F946D7150DB21DD02C6E0

Function 00A67464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00A6747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00A67497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00A674AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00A674CA

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: fc35bb38a3aa17799cb01d62a7b6048f27c3cd8c397f2ef1c52a048bdf77661b
Instruction ID: 90c771b78e7ce0899cde014d71f0f44e07800f7a6eb94408b58b6216158c01e4
Opcode Fuzzy Hash: fc35bb38a3aa17799cb01d62a7b6048f27c3cd8c397f2ef1c52a048bdf77661b
Instruction Fuzzy Hash: C811ADB5315710ABE720CF58DD0CB9A7BFCEB40B18F50856AA616D6191DFB0E904DBA0

Function 00A6B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00A6ACD3,?,00008000), ref: 00A6B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00A6ACD3,?,00008000), ref: 00A6B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00A6ACD3,?,00008000), ref: 00A6B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00A6ACD3,?,00008000), ref: 00A6B126

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 7b4d088afe67b7d8c12160c2682d7c80211dd9bd61a39ef893efbcf1e9f76515
Instruction ID: 0fcfb8a4cc998fc8076b8e1f7e8717cff5ae32edb75e2586e34758037ad78b86
Opcode Fuzzy Hash: 7b4d088afe67b7d8c12160c2682d7c80211dd9bd61a39ef893efbcf1e9f76515
Instruction Fuzzy Hash: 42115E31D1192CE7CF00DFE4E9586EEBF78FF0A711F114286D941B2145CB3095918B65

Function 00A97E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00A97E33
ScreenToClient.USER32(?,?), ref: 00A97E4B
ScreenToClient.USER32(?,?), ref: 00A97E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00A97E8A

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 44b2ac7f83054980735b29488f5d1408f9723742174eb7d79f16d0e6c14737c1
Instruction ID: 0b2d943428e43dd30e7579cb9bf1e45f71ca076d47c2f88ee15a50dbdf42b462
Opcode Fuzzy Hash: 44b2ac7f83054980735b29488f5d1408f9723742174eb7d79f16d0e6c14737c1
Instruction Fuzzy Hash: 771113B9E0064AAFDB41DF98C9849EEBBF5FB08310F505056E915E2210D735AA55CF50

Function 00A62DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00A62DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00A62DD6
GetCurrentThreadId.KERNEL32 ref: 00A62DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00A62DE4

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 66c96867295f95b4dbb3b43bdc1db020072f4fa9b88bbb3b4a47b4daaa9b62ad
Instruction ID: d94925ae98c8d83358e8d5adf6638b604c7ccdc006ac0e40c0cc92d42c0acfe8
Opcode Fuzzy Hash: 66c96867295f95b4dbb3b43bdc1db020072f4fa9b88bbb3b4a47b4daaa9b62ad
Instruction Fuzzy Hash: 8AE06D71201A24BADB205BA29C0DFEB7E7CEB42BB1F401516B205D10909AA18942C7B0

Function 00A98863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00A19639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00A19693
Part of subcall function 00A19639: SelectObject.GDI32(?,00000000), ref: 00A196A2
Part of subcall function 00A19639: BeginPath.GDI32(?), ref: 00A196B9
Part of subcall function 00A19639: SelectObject.GDI32(?,00000000), ref: 00A196E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00A98887
LineTo.GDI32(?,?,?), ref: 00A98894
EndPath.GDI32(?), ref: 00A988A4
StrokePath.GDI32(?), ref: 00A988B2

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 9cceb47d378750a699f9f5a36f28c881cb2ed7cf87484565d61bee2ce40b2cff
Instruction ID: 4a12b9ed25d50a4cc5ca1cc45ed1cb64edc5094f3b32dd897e75ae30934ee5d0
Opcode Fuzzy Hash: 9cceb47d378750a699f9f5a36f28c881cb2ed7cf87484565d61bee2ce40b2cff
Instruction Fuzzy Hash: B1F05E36242658FADB12AFD4AC09FCE3F59AF06320F448102FA22650E1CB795552CFF9

Function 00A198B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00A198CC
SetTextColor.GDI32(?,?), ref: 00A198D6
SetBkMode.GDI32(?,00000001), ref: 00A198E9
GetStockObject.GDI32(00000005), ref: 00A198F1

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 6618d8c72677d3248620b20b706915db92149d8f97ed64017c6e199632c20255
Instruction ID: 336d1b6b52ae8ee8871438488a279aec7ab6e39e8be4cca7ed37e5830c49f7fe
Opcode Fuzzy Hash: 6618d8c72677d3248620b20b706915db92149d8f97ed64017c6e199632c20255
Instruction Fuzzy Hash: 62E06D31344A80ABDB219BB4BC09BED3F20AB12336F14831AFAFA580E1CB714645DB10

Function 00A6162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00A61634
OpenThreadToken.ADVAPI32(00000000,?,?,?,00A611D9), ref: 00A6163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00A611D9), ref: 00A61648
OpenProcessToken.ADVAPI32(00000000,?,?,?,00A611D9), ref: 00A6164F

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 9bbbcbe536ac788a8dd2efc6440e5fe4955c6176c30f99b7ac82b2cd95ece48e
Instruction ID: f453d45511f0c8f242a4706b57a3a5b35dff982aa5d4f7edd42acad5e2e6327f
Opcode Fuzzy Hash: 9bbbcbe536ac788a8dd2efc6440e5fe4955c6176c30f99b7ac82b2cd95ece48e
Instruction Fuzzy Hash: D0E08639701211EBDB205FE09E0DB873F7CAF447A5F188809F345C9080DE344542C760

Function 00A5D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00A5D858
GetDC.USER32(00000000), ref: 00A5D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00A5D882
ReleaseDC.USER32(?), ref: 00A5D8A3

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 7f80aaa12568f6ffb2b3c2c46206e9578ccc07d36732f9430c679d7f1dc07f64
Instruction ID: 00058388e89d7c65f40bedddc94778b8f70bfe0eb390d37e7b2c53c2a31cc2fc
Opcode Fuzzy Hash: 7f80aaa12568f6ffb2b3c2c46206e9578ccc07d36732f9430c679d7f1dc07f64
Instruction Fuzzy Hash: 23E01AB5900605DFCF41DFE0D90866DBBB1FB08321F14900AE906E7250CF399942AF50

Function 00A5D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00A5D86C
GetDC.USER32(00000000), ref: 00A5D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00A5D882
ReleaseDC.USER32(?), ref: 00A5D8A3

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 1495102c1b1bdd16c5b7aba3e3eb1988a735c57864ab18454a228c1d03615e8d
Instruction ID: d40fef7d361b3529daaf0ad96b7e0d9fb2f5cc6aaca4b6da5d8ef6500cf65010
Opcode Fuzzy Hash: 1495102c1b1bdd16c5b7aba3e3eb1988a735c57864ab18454a228c1d03615e8d
Instruction Fuzzy Hash: 92E092B5A00605EFCF51EFE0D90866DBBB5BB08321F14944AEA4AE7250CF399942AF50

Function 00A74D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00A07620: _wcslen.LIBCMT ref: 00A07625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00A74ED4

Strings

*, xrefs: 00A74E10
LPT, xrefs: 00A74DFB

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 1956307130a8b1ad620c1c4ad2c6de7f77b73f764c7b265b9147ed59f3755c9a
Instruction ID: ef5dd510de09d9257f930336a2aa8c8056de670c53ed8c799a3611e432d53d83
Opcode Fuzzy Hash: 1956307130a8b1ad620c1c4ad2c6de7f77b73f764c7b265b9147ed59f3755c9a
Instruction Fuzzy Hash: 94917175A002049FCB14DF58C984EAABBF5BF48714F19C099E80A9F3A2D735ED85CB91

Function 00A2E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00A2E30D

Strings

pow, xrefs: 00A2E2E5, 00A2E302

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 07cf807acd2faf2c17c1ace3afd170985e647aabca7694275ee0280ff1be65bc
Instruction ID: d33295125624fcdd27119aa13e877883a3bc95a1f52810c47212f7505e96e20c
Opcode Fuzzy Hash: 07cf807acd2faf2c17c1ace3afd170985e647aabca7694275ee0280ff1be65bc
Instruction Fuzzy Hash: F5513DB1A0C20296CB35F71CEA417BD3BA4AF40781F344978F496462E9DB358CD59B86

Function 00A1E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 00A1E1B1

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: a31a85eff4211af3702de4ddda38b05690f02a0e2e148598474519ee15445653
Instruction ID: e3092182d3e78e4c313c10ce93ed8f647562bd9f3e8b5f4b482622bb681db9dd
Opcode Fuzzy Hash: a31a85eff4211af3702de4ddda38b05690f02a0e2e148598474519ee15445653
Instruction Fuzzy Hash: C8513271A00256DFDF19DF68D091AFA7BA9FF29311F244059FC919B2C0D6309E86CBA0

Function 00A1F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00A1F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 00A1F2BB

Strings

@, xrefs: 00A1F2AF

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: f29423f939949d273c7f298400a7bafc329ec4bee7e7a2d80d12c3c92546a9b6
Instruction ID: 26807b64d2219ab06e36f5f3728af13ad3466ce93afc334501c5622e396cdca6
Opcode Fuzzy Hash: f29423f939949d273c7f298400a7bafc329ec4bee7e7a2d80d12c3c92546a9b6
Instruction Fuzzy Hash: EC5155718087499BD320EF50E986BAFBBF8FB84310F81894DF199411A5EB309529CB67

Function 00A85745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00A857E0
_wcslen.LIBCMT ref: 00A857EC

Strings

CALLARGARRAY, xrefs: 00A857E6, 00A857EB

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: d2e6862c5221fc00ef83242ed4a3c3d4240f1d4e158ef3406727ec1a22d49d9b
Instruction ID: 0b33954887aeb35f64a227650a85cbdffd8dfd0cc1dde1f77adff6bba2103099
Opcode Fuzzy Hash: d2e6862c5221fc00ef83242ed4a3c3d4240f1d4e158ef3406727ec1a22d49d9b
Instruction Fuzzy Hash: 29419171E006099FCB14EFB9C9819EEBBF5FF59324F10406AE905A7291EB709D81DB90

Function 00A7D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00A7D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00A7D13A

Strings

|, xrefs: 00A7D10B

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 210e42364f57ffc6f1fbbf6141389d8b5e810312160121f54f3eb640bdf2ca6b
Instruction ID: 12dc46bab57ad61784c3c6d67ee5dcc54c3c0784e829cbe282ae3cd1283c433c
Opcode Fuzzy Hash: 210e42364f57ffc6f1fbbf6141389d8b5e810312160121f54f3eb640bdf2ca6b
Instruction Fuzzy Hash: 41313E71D00219ABCF15EFA4DD85AEE7FB9FF04304F404119F819A61A2E731AA56CB60

Function 00A9356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00A93621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00A9365C

Strings

static, xrefs: 00A935BC

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: cf0f7d31f64eaf9a42c6c2c0f3abe98ceb95d29e8ae244dc4d384e48f92fd138
Instruction ID: 96e33243aec671736260ef21c1838102a60d82f92288871578335fcb330dfe75
Opcode Fuzzy Hash: cf0f7d31f64eaf9a42c6c2c0f3abe98ceb95d29e8ae244dc4d384e48f92fd138
Instruction Fuzzy Hash: 65317872200604AEDF10DF68D880ABB73F9FF88724F10961AF9A5D7280DA31A991D760

Function 00A94537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00A9461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00A94634

Strings

', xrefs: 00A9458E

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: fd9c074450b10d11fba2c59e99b83a2890921231802a22793039397e4f12c24b
Instruction ID: 269388906a6dedbcd9c95cc0bfd3702ffafd4eb116cca13f3626ba5f826cfa6a
Opcode Fuzzy Hash: fd9c074450b10d11fba2c59e99b83a2890921231802a22793039397e4f12c24b
Instruction Fuzzy Hash: 933117B4B012099FDF14CFA9C990BDA7BF5FB09300F11416AE905AB341E770A942CF90

Function 00A931EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00A9327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00A93287

Strings

Combobox, xrefs: 00A93249

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: c6e68b2a2555fd126bb945860717103d74d6b46e9c9c519b30106dfc6bab8ad3
Instruction ID: 11c632a20383bf9c9d4b01bb3de57714fb1e4906af9c0af2b131c3ad2aae1aee
Opcode Fuzzy Hash: c6e68b2a2555fd126bb945860717103d74d6b46e9c9c519b30106dfc6bab8ad3
Instruction Fuzzy Hash: 6E11B2723002087FFF25DF94DC84EFB37AAEBA4364F104529FA1997290D6759D518760

Function 00A93710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00A0600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00A0604C
Part of subcall function 00A0600E: GetStockObject.GDI32(00000011), ref: 00A06060
Part of subcall function 00A0600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00A0606A

GetWindowRect.USER32(00000000,?), ref: 00A9377A
GetSysColor.USER32(00000012), ref: 00A93794

Strings

static, xrefs: 00A93757

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 78dfec82e00f8f1153ee8554d507b9d059f6704e19639f3e10b5a103d5597bda
Instruction ID: 84fd2f1f3e58e4b4d46d79d237f8f9e89d4af875594c2dc666693165b21bf15a
Opcode Fuzzy Hash: 78dfec82e00f8f1153ee8554d507b9d059f6704e19639f3e10b5a103d5597bda
Instruction Fuzzy Hash: 1C1126B2610209AFDF00DFA8CD46AEA7BF8FB08314F004915F956E2250EB35E8619B60

Function 00A7CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00A7CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00A7CDA6

Strings

<local>, xrefs: 00A7CD66

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 7aa1dab7c6af8b39940f21187559a9cd9a29af724f5b9a9c0daa4bc3cd8a465e
Instruction ID: 71b0468a880698e8d54a4d3d45984c1a02041f194db0d2a94abb5086abc31c92
Opcode Fuzzy Hash: 7aa1dab7c6af8b39940f21187559a9cd9a29af724f5b9a9c0daa4bc3cd8a465e
Instruction Fuzzy Hash: 3811A071205631BAD7384BA68C49EE7BEACEB127B4F00C22EB10D82181D6649941D6F0

Function 00A93429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00A934AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00A934BA

Strings

edit, xrefs: 00A9348F

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 708c1ca1fb7f08657bf83b1d52244d77f08c5b27e6d3ce502109816d465ccb8c
Instruction ID: bf4a69558cf6e653c9994751061732d187c06cbf149c6ebc4f8e0e86cdeeb3c3
Opcode Fuzzy Hash: 708c1ca1fb7f08657bf83b1d52244d77f08c5b27e6d3ce502109816d465ccb8c
Instruction Fuzzy Hash: 10116D72200108AAEF118F64DC44AAA37FAEB85779F514724F965931D0C775EC519760

Function 00A66C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00A09CB3: _wcslen.LIBCMT ref: 00A09CBD

CharUpperBuffW.USER32(?,?,?), ref: 00A66CB6
_wcslen.LIBCMT ref: 00A66CC2

Strings

STOP, xrefs: 00A66CBC, 00A66CC1

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: e55d6c521c93dfc3ce420039c12320caa43d08512263e75b1e3fa4ccb889c48b
Instruction ID: 0483fe8beeea1c490312d422be816918011758a0765de8fa254b286b9757ef5f
Opcode Fuzzy Hash: e55d6c521c93dfc3ce420039c12320caa43d08512263e75b1e3fa4ccb889c48b
Instruction Fuzzy Hash: DB01D232A0092ACBCB20AFFDDD809BF77B5EF65714B100538E862971D1EB31D940C650

Function 00A61CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A09CB3: _wcslen.LIBCMT ref: 00A09CBD

Part of subcall function 00A63CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00A63CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00A61D4C

Strings

ListBox, xrefs: 00A61D16
ComboBox, xrefs: 00A61CEB

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: bc2c67483f60637f693a848ba33419c4a34c4c6469c193e45598e00d60a27c42
Instruction ID: 8e97d3ff186cf048b9a5b82b0da644b35bab70cef61432584fcb7577cda5287a
Opcode Fuzzy Hash: bc2c67483f60637f693a848ba33419c4a34c4c6469c193e45598e00d60a27c42
Instruction Fuzzy Hash: 5901B571A01218ABCF04EBA4DD51DFF7BB8FB56350F040919F822573C2EA30590D8660

Function 00A61BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A09CB3: _wcslen.LIBCMT ref: 00A09CBD

Part of subcall function 00A63CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00A63CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00A61C46

Strings

ListBox, xrefs: 00A61C10
ComboBox, xrefs: 00A61BE5

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 61e1d128858cadce18ed9d9c21db7954dcc60a6d8b06696efcd70f21c1d672e0
Instruction ID: 96226f7fbc310f41266a0850a1c11d24c6549d7863831fb2a139ab1d3b126bd0
Opcode Fuzzy Hash: 61e1d128858cadce18ed9d9c21db7954dcc60a6d8b06696efcd70f21c1d672e0
Instruction Fuzzy Hash: 3401A775B811086ADF04EBA0DA52EFF7BB89B11340F140019B506672C2EA249E1C96B1

Function 00A61C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A09CB3: _wcslen.LIBCMT ref: 00A09CBD

Part of subcall function 00A63CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00A63CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00A61CC8

Strings

ListBox, xrefs: 00A61C94
ComboBox, xrefs: 00A61C69

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: b9af66f8b79b8936aa32efa03d4b5fb65b993f5a429a042932c012f9bfb0b9d7
Instruction ID: 8479dc9130bec1a25188bfed30bfdd4c03b488b0160afea70ab57714eb6d1e6c
Opcode Fuzzy Hash: b9af66f8b79b8936aa32efa03d4b5fb65b993f5a429a042932c012f9bfb0b9d7
Instruction Fuzzy Hash: 5001A7B1A4011866DB04E7A0DB01EFF7BB89B11340F140415B801732C2EA209F19D671

Function 00A61D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A09CB3: _wcslen.LIBCMT ref: 00A09CBD

Part of subcall function 00A63CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00A63CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00A61DD3

Strings

ListBox, xrefs: 00A61DA0
ComboBox, xrefs: 00A61D75

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: eb45d6d24d7f5784d4f75fe895e73ece3ff2c144db775e0ba0f7d42ab0f5f1f8
Instruction ID: 18ce55277a2d09eae34cea6aa43c87883eda6bebbd93d858ba585232b96d280a
Opcode Fuzzy Hash: eb45d6d24d7f5784d4f75fe895e73ece3ff2c144db775e0ba0f7d42ab0f5f1f8
Instruction Fuzzy Hash: 89F0A471F41218AADB04E7A4DE52FFF7BB8AB01350F080D19B922632C2EA60690D8261

Function 00A8747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00A87493
_wcslen.LIBCMT ref: 00A874B9

Strings

3, 3, 16, 1, xrefs: 00A87483

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 70370a97feae3e58f5f5a4493f2a5b81c52e819972f3e6f01f6475343c416291
Instruction ID: 9de4e2a349c86fd234508ce4d8daffe07d0b342fe07db665cc48fa9670e3e31d
Opcode Fuzzy Hash: 70370a97feae3e58f5f5a4493f2a5b81c52e819972f3e6f01f6475343c416291
Instruction Fuzzy Hash: 01E02B02204230209331337DADC1A7F5689DFC9750734183BF995C2266EAD4CDD193A0

Function 00A60B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00A60B23

Strings

AutoIt, xrefs: 00A60B17
Error allocating memory., xrefs: 00A60B1C

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: e004005283f724929c6da976a547a5da3c9734caad0c99021f85fc62eabdb260
Instruction ID: 6c033f17a417524e8942489964cc6f67b5c0b44c7938aea57754ddfb243ddfe6
Opcode Fuzzy Hash: e004005283f724929c6da976a547a5da3c9734caad0c99021f85fc62eabdb260
Instruction Fuzzy Hash: 59E0DF323887183AD61037947D03FCA7AC49F09B64F10082AFB88994C38EE224E006A9

Function 00A20D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00A1F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00A20D71,?,?,?,00A0100A), ref: 00A1F7CE

IsDebuggerPresent.KERNEL32(?,?,?,00A0100A), ref: 00A20D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00A0100A), ref: 00A20D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00A20D7F

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 53dd62170cced23a14f53385aec95f9c5834fd91c2c27f195576ab0523766aa1
Instruction ID: 67f0bf4e16775ebfc0e97c3fb8f8cad2ff48c7b11f48e0443f2adc59cd76bc39
Opcode Fuzzy Hash: 53dd62170cced23a14f53385aec95f9c5834fd91c2c27f195576ab0523766aa1
Instruction Fuzzy Hash: E1E06D743017518FD760EFBCE504B827BE0AB00740F00493EE482C6652EBB0E4458B91

Function 00A73017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00A7302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00A73044

Strings

aut, xrefs: 00A73038

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 9088b4043ecaf5b7cbca19888d8380a5fe2fc5ec2ff23b2b65581c4244ee73d0
Instruction ID: 13400c0573b0a0ffcbd287b31fccd0de9e3735fe772184fe63c3982df145f9e0
Opcode Fuzzy Hash: 9088b4043ecaf5b7cbca19888d8380a5fe2fc5ec2ff23b2b65581c4244ee73d0
Instruction Fuzzy Hash: 24D05B7150031477DA20E7D89C0DFC73A6CD704760F0005527655D2091DEB09545CAD0

Function 00A5D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00A5D220

Strings

%.3d, xrefs: 00A5D22B
X64, xrefs: 00A5D2A8

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: f264dc80c6e4682e0c26db7d3d8b485839ded9839aa4c1a1d2c55aff02363b54
Instruction ID: 63d8794a266382741623f6c7ec0710268c3749f257e3f5c28f0c7827c811e36e
Opcode Fuzzy Hash: f264dc80c6e4682e0c26db7d3d8b485839ded9839aa4c1a1d2c55aff02363b54
Instruction Fuzzy Hash: E8D012B580C148FDCB6097D0CC459FDB37CBB08302F508456FC0691040D634D54CAB61

Function 00A92322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00A9232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00A9233F

Part of subcall function 00A6E97B: Sleep.KERNEL32 ref: 00A6E9F3

Strings

Shell_TrayWnd, xrefs: 00A92325

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: c1a3f66732c8d689999ee4330b07126d5c11d25b58880e99b14a331bd0a1788e
Instruction ID: 6fa356245a506a0c9efa57c9b2ea420452a38b2b403dbf3bfc0417d06483f1b6
Opcode Fuzzy Hash: c1a3f66732c8d689999ee4330b07126d5c11d25b58880e99b14a331bd0a1788e
Instruction Fuzzy Hash: 27D0C936394710B6E664E7B09C0FFC6AA24AF00B20F0149167745AA1D4C9A4A8028A54

Function 00A92356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00A9236C
PostMessageW.USER32(00000000), ref: 00A92373

Part of subcall function 00A6E97B: Sleep.KERNEL32 ref: 00A6E9F3

Strings

Shell_TrayWnd, xrefs: 00A92365

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: f351dbe3bee7ccc8d5313af0c2245f7af543e51a122f081eba60467e8b8f2188
Instruction ID: 07a6fd3226b25ef7cc9a96b1952f615934bf535ff9f7e873619368cf4ac51f5c
Opcode Fuzzy Hash: f351dbe3bee7ccc8d5313af0c2245f7af543e51a122f081eba60467e8b8f2188
Instruction Fuzzy Hash: 98D0C9363C17107AE664E7B09C0FFC6A624AB04B20F0149167745AA1D4C9A4A8028A54

Function 00A3BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00A3BE93
GetLastError.KERNEL32 ref: 00A3BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00A3BEFC

Memory Dump Source

Source File: 00000000.00000002.1310976190.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1310946901.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311455053.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311568734.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1311761628.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: f30803284fcd569138ebfe137607432e2cc720968c0e6c88609b75d8cc9aeec9
Instruction ID: 6f7f2c627aea8653ff983b9fd4818989a63c0e088727f41d39dfaf026117f52a
Opcode Fuzzy Hash: f30803284fcd569138ebfe137607432e2cc720968c0e6c88609b75d8cc9aeec9
Instruction Fuzzy Hash: 3241D734615216AFCF21CFA8DD54ABABBB6AF41320F245169FA599B1A1DB30CD01CB70

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 00000010.00000003.1326075646.000001FD7FD78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "url": "https://www.facebook.com/", equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000003.1326075646.000001FD7FD78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "url": "https://www.youtube.com/", equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000003.1326075646.000001FD7FD78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000003.1326075646.000001FD7FD78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.twitter.com (Twitter)
Source: firefox.exe, 00000010.00000003.1326075646.000001FD7FD78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000003.1354099015.000001FD06A9D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1355659626.000001FD0EFFB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1463006647.00001E7CC1C03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000003.1463006647.00001E7CC1C03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/Z equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000003.1483940416.000001FD0F347000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000003.1466473221.000001FD7FD7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: -l10n-id="newtab-menu-content-tooltip" data-l10n-args="{"title":"Wikipedia"}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.reddit.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="R"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/reddit-com@2x.png)"></div></div></div><div class="title"><span dir="auto">Reddit<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{"title":"Reddit"}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer hide-for-narrow"><div class="top-site-inner"><a class="top-site-button" href="https://twitter.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="T"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/twitter-com@2x.png)"></div></div></div><div class="title"><span dir="auto">Twitter<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{"title":"Twitter"}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer placeholder hide-for-narrow"><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li></ul><div class="edit-topsites-wrapper"></div></div></section></div></div></div></div><style data-styles="[[null]]"></style></div><div class="discovery-stream ds-layout"><div class="ds-column ds-column-12"><div class="ds-column-grid"><div></div></div></div><style data-styles="[[null]]"></style></div></div></main></div></div> equals www.twitter.com (Twitter)
Source: firefox.exe, 00000010.00000003.1378898265.000001FD0F29F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1473441754.000001FD0F28F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000003.1469914787.000001FD10887000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1378636100.000001FD0F591000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1472142075.000001FD0F591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000003.1469914787.000001FD10887000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1378636100.000001FD0F591000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1376905169.000001FD10887000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000003.1477087168.000001FD0DFC8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1378898265.000001FD0F29F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1379185189.000001FD0DFAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000003.1479342729.000001FD0D951000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1380270778.000001FD0D951000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000003.1479342729.000001FD0D951000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1380270778.000001FD0D951000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000003.1323370250.000001FD0774A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000003.1469914787.000001FD10887000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1378636100.000001FD0F591000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1472142075.000001FD0F591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000003.1469914787.000001FD10887000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1378636100.000001FD0F591000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1376905169.000001FD10887000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000003.1323370250.000001FD0774A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000003.1323370250.000001FD0774A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000003.1323370250.000001FD0774A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000003.1323370250.000001FD0774A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000010.00000003.1323370250.000001FD0774A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000003.1323370250.000001FD0774A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000003.1323370250.000001FD0774A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000003.1323370250.000001FD0774A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000003.1323370250.000001FD0774A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000003.1323370250.000001FD0774A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000003.1323370250.000001FD0774A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000010.00000003.1323370250.000001FD0774A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000003.1323370250.000001FD0774A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000003.1323370250.000001FD0774A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000010.00000003.1323370250.000001FD0774A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000003.1323370250.000001FD0774A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000003.1323370250.000001FD0774A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.twitter.com (Twitter)
Source: firefox.exe, 00000010.00000003.1323370250.000001FD0774A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000003.1323370250.000001FD0774A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.2499865239.000001ED6010A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2501476893.000002256910C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000003.1323370250.000001FD0774A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.2499865239.000001ED6010A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2501476893.000002256910C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000010.00000003.1323370250.000001FD0774A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.2499865239.000001ED6010A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2501476893.000002256910C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000003.1483940416.000001FD0F347000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moz-extension://2a8a4ba3-32a0-495a-bbc2-63871e7b7005/injections/js/bug1842437-www.youtube.com-performance-now-precision.js equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000003.1378898265.000001FD0F2BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1477087168.000001FD0DFC8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1378898265.000001FD0F29F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000003.1381430852.000001FD07EE8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000003.1378898265.000001FD0F2BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1493141016.000001FD0F2E7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000003.1378636100.000001FD0F591000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.1472142075.000001FD0F591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.7:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.7:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.7:49790 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49788 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.193.91:443 -> 192.168.2.7:49792 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49798 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49800 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.7:49801 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49799 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49868 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49871 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49870 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49869 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49867 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49866 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49874 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49875 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49949 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49871 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49875 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49868 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49866 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 49869 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49875
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49874
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49871
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49870
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49870 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49874 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49949
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49846 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49869
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49867 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49868
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49867
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49866

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_3b636ac8-4ab4-4839-b2e3-b3220a7a0b96.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_3b636ac8-4ab4-4839-b2e3-b3220a7a0b96.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre