Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1562633
MD5:	3add5a1a6f0235a959501f89d3e16242
SHA1:	126448447379b70593d3b074b295cefcf43a5c3f
SHA256:	c4dd5e0c0b5d47ce6077df70ee5922c3bfc56fada6e41f2015ae0815b0396f89
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 7344 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 3ADD5A1A6F0235A959501F89D3E16242)

taskkill.exe (PID: 7372 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7636 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7740 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7824 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7884 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 7992 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 8028 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 8044 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 6496 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2296 -parentBuildID 20230927232528 -prefsHandle 2216 -prefMapHandle 2200 -prefsLen 25250 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5cf237a4-7973-4ec8-84ee-07681bc278bc} 8044 "\\.\pipe\gecko-crash-server-pipe.8044" 1bda816f510 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7880 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4468 -parentBuildID 20230927232528 -prefsHandle 4460 -prefMapHandle 3996 -prefsLen 26265 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a5d1342-43e8-4a15-9f70-b771ca3599d0} 8044 "\\.\pipe\gecko-crash-server-pipe.8044" 1bdba5c3110 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7380 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5088 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 2504 -prefMapHandle 5108 -prefsLen 33093 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {15cd57e1-877b-49b0-a41c-7dabf754dcb4} 8044 "\\.\pipe\gecko-crash-server-pipe.8044" 1bda8172310 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 7344	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_00EDEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00EDEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EDED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00EDED6A

Source: C:\Users\user\Desktop\file.exe

0_2_00EDEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00ECAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_00ECAA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EF9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00EF9576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_59be8410-e
Source: file.exe, 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_0e86fc24-1
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_a57e824c-5
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_d7551502-f

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 19_2_00000232A60C21F2 NtQuerySystemInformation,		19_2_00000232A60C21F2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 19_2_00000232A60CB137 NtQuerySystemInformation,		19_2_00000232A60CB137

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00ECD5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00ECD5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EC1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00EC1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00ECE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00ECE8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E68060	0_2_00E68060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ED2046	0_2_00ED2046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EC8298	0_2_00EC8298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E9E4FF	0_2_00E9E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E9676B	0_2_00E9676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EF4873	0_2_00EF4873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E6CAF0	0_2_00E6CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E8CAA0	0_2_00E8CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E7CC39	0_2_00E7CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E96DD9	0_2_00E96DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E7D063	0_2_00E7D063
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E691C0	0_2_00E691C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E7B119	0_2_00E7B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E81394	0_2_00E81394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E8781B	0_2_00E8781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E7997D	0_2_00E7997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E67920	0_2_00E67920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E87A4A	0_2_00E87A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E87CA7	0_2_00E87CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E99EEE	0_2_00E99EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EEBE44	0_2_00EEBE44
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 19_2_00000232A60C21F2	19_2_00000232A60C21F2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 19_2_00000232A60C2232	19_2_00000232A60C2232
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 19_2_00000232A60C291C	19_2_00000232A60C291C
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 19_2_00000232A60CB137	19_2_00000232A60CB137

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00E80A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00E7F9F2 appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00E69CB3 appears 31 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/34@66/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00ED37B5 GetLastError,FormatMessageW,

0_2_00ED37B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EC10BF AdjustTokenPrivileges,CloseHandle,		0_2_00EC10BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EC16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00EC16C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00ED51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00ED51CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00ECD4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00ECD4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00ED648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_00ED648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E642A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00E642A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7896:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7756:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7832:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7384:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7668:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 00000010.00000003.2385690712.000001BDC291C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2377924927.000001BDC291C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 00000010.00000003.2385690712.000001BDC291C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2377924927.000001BDC291C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 00000010.00000003.2385690712.000001BDC291C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2377924927.000001BDC291C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 00000010.00000003.2385690712.000001BDC291C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2377924927.000001BDC291C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 00000010.00000003.2385690712.000001BDC291C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2377924927.000001BDC291C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 00000010.00000003.2385690712.000001BDC291C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2377924927.000001BDC291C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 00000010.00000003.2385690712.000001BDC291C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2377924927.000001BDC291C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 00000010.00000003.2385690712.000001BDC291C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2377924927.000001BDC291C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 00000010.00000003.2385690712.000001BDC291C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2377924927.000001BDC291C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: file.exe

ReversingLabs: Detection: 28%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2296 -parentBuildID 20230927232528 -prefsHandle 2216 -prefMapHandle 2200 -prefsLen 25250 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5cf237a4-7973-4ec8-84ee-07681bc278bc} 8044 "\\.\pipe\gecko-crash-server-pipe.8044" 1bda816f510 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4468 -parentBuildID 20230927232528 -prefsHandle 4460 -prefMapHandle 3996 -prefsLen 26265 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a5d1342-43e8-4a15-9f70-b771ca3599d0} 8044 "\\.\pipe\gecko-crash-server-pipe.8044" 1bdba5c3110 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5088 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 2504 -prefMapHandle 5108 -prefsLen 33093 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {15cd57e1-877b-49b0-a41c-7dabf754dcb4} 8044 "\\.\pipe\gecko-crash-server-pipe.8044" 1bda8172310 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2296 -parentBuildID 20230927232528 -prefsHandle 2216 -prefMapHandle 2200 -prefsLen 25250 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5cf237a4-7973-4ec8-84ee-07681bc278bc} 8044 "\\.\pipe\gecko-crash-server-pipe.8044" 1bda816f510 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4468 -parentBuildID 20230927232528 -prefsHandle 4460 -prefMapHandle 3996 -prefsLen 26265 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a5d1342-43e8-4a15-9f70-b771ca3599d0} 8044 "\\.\pipe\gecko-crash-server-pipe.8044" 1bdba5c3110 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5088 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 2504 -prefMapHandle 5108 -prefsLen 33093 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {15cd57e1-877b-49b0-a41c-7dabf754dcb4} 8044 "\\.\pipe\gecko-crash-server-pipe.8044" 1bda8172310 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: freebl3.pdb source: firefox.exe, 00000010.00000003.2404541998.000001BDB9BB6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: UMPDC.pdb source: firefox.exe, 00000010.00000003.2404814953.000001BDB9B91000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wininet.pdb source: firefox.exe, 00000010.00000003.2404541998.000001BDB9BB6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: nssckbi.pdbINTEGER source: firefox.exe, 00000010.00000003.2404541998.000001BDB9BB6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: rsaenh.pdb source: firefox.exe, 00000010.00000003.2403440442.000001BDBA088000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: avrt.pdb source: firefox.exe, 00000010.00000003.2404235361.000001BDB9BE8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdbGCTL source: firefox.exe, 00000010.00000003.2431547880.000001BDB7BBD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: xWindows.Security.Integrity.pdb source: firefox.exe, 00000010.00000003.2404666930.000001BDB9B99000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdb source: firefox.exe, 00000010.00000003.2427792212.000001BDC2B01000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdb source: firefox.exe, 00000010.00000003.2431547880.000001BDB7BBD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WscApi.pdb source: firefox.exe, 00000010.00000003.2404814953.000001BDB9B91000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: xWindows.StateRepositoryPS.pdb source: firefox.exe, 00000010.00000003.2406266359.000001BDB98EA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: xOneCoreUAPCommonProxyStub.pdb source: firefox.exe, 00000010.00000003.2404666930.000001BDB9B99000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.16.dr
Source:	Binary string: nssckbi.pdb source: firefox.exe, 00000010.00000003.2404541998.000001BDB9BB6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: cryptsp.pdb source: firefox.exe, 00000010.00000003.2404235361.000001BDB9BE8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2403440442.000001BDBA088000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mscms.pdb source: firefox.exe, 00000010.00000003.2415011035.000001BDB95A7000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: urlmon.pdb source: firefox.exe, 00000010.00000003.2404814953.000001BDB9B91000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.16.dr
Source:	Binary string: userenv.pdb source: firefox.exe, 00000010.00000003.2415011035.000001BDB95A7000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: winhttp.pdb@ source: firefox.exe, 00000010.00000003.2404235361.000001BDB9BE8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: sspicli.pdbINTEGER source: firefox.exe, 00000010.00000003.2404541998.000001BDB9BB6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: winhttp.pdb source: firefox.exe, 00000010.00000003.2404235361.000001BDB9BE8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdb source: firefox.exe, 00000010.00000003.2430022918.000001BDC2B01000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msimg32.pdb source: firefox.exe, 00000010.00000003.2404235361.000001BDB9BE8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdbUGP source: firefox.exe, 00000010.00000003.2427792212.000001BDC2B01000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: firefox.exe, 00000010.00000003.2404666930.000001BDB9B99000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ncrypt.pdb source: firefox.exe, 00000010.00000003.2404541998.000001BDB9BB6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ntasn1.pdb source: firefox.exe, 00000010.00000003.2404541998.000001BDB9BB6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: d3d11.pdb source: firefox.exe, 00000010.00000003.2404814953.000001BDB9B91000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdbUGP source: firefox.exe, 00000010.00000003.2430022918.000001BDC2B01000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: freebl3.pdbP% source: firefox.exe, 00000010.00000003.2404814953.000001BDB9B91000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: sspicli.pdbguid source: firefox.exe, 00000010.00000003.2404541998.000001BDB9BB6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: srvcli.pdb source: firefox.exe, 00000010.00000003.2404814953.000001BDB9B91000.00000004.00000800.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00E642DE

Source: gmpopenh264.dll.tmp.16.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E80A76 push ecx; ret

0_2_00E80A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E7F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00E7F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EF1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00EF1C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-95218

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 19_2_00000232A60C21F2 rdtsc

19_2_00000232A60C21F2

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.5 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ECDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00ECDBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E9C2A2 FindFirstFileExW,	0_2_00E9C2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ED68EE FindFirstFileW,FindClose,	0_2_00ED68EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ED698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00ED698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ECD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00ECD076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ECD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00ECD3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ED9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00ED9642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ED979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00ED979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ED9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00ED9B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ED5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00ED5C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00E642DE

Source: firefox.exe, 00000012.00000002.3424608816.000002064C010000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllt
Source: firefox.exe, 00000012.00000002.3423123023.000002064BF4A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%
Source: firefox.exe, 00000012.00000002.3423123023.000002064BF4A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3427497227.00000232A5FB0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3422734317.00000232A57CA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3426726591.000001C13A470000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3422830803.000001C13A0AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 00000012.00000002.3427875853.000002064C416000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000012.00000002.3424608816.000002064C010000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll(
Source: firefox.exe, 00000012.00000002.3424608816.000002064C010000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3427497227.00000232A5FB0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 19_2_00000232A60C21F2 rdtsc

19_2_00000232A60C21F2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EDEAA2 BlockInput,

0_2_00EDEAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E92622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00E92622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00E642DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E84CE8 mov eax, dword ptr fs:[00000030h]

0_2_00E84CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EC0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00EC0B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E92622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00E92622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E8083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00E8083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E809D5 SetUnhandledExceptionFilter,	0_2_00E809D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E80C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00E80C21

Source: C:\Users\user\Desktop\file.exe

0_2_00EC1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EA2BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00EA2BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00ECB226 SendInput,keybd_event,

0_2_00ECB226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EE22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_00EE22DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00EC0B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EC1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00EC1663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd
Source: firefox.exe, 00000010.00000003.2382378061.000001BDC2B01000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hSoftware\Policies\Microsoft\Windows\PersonalizationNoChangingStartMenuBackgroundPersonalColors_BackgroundWilStaging_02RtlDisownModuleHeapAllocationRtlQueryFeatureConfigurationRtlRegisterFeatureConfigurationChangeNotificationRtlSubscribeWnfStateChangeNotificationRtlDllShutdownInProgressntdll.dllNtQueryWnfStateDataLocal\SM0:%d:%d:%hs_p0Local\SessionImmersiveColorPreferenceBEGINTHMthmfile\Sessions\%d\Windows\ThemeSectionMessageWindowendthemewndThemeApiConnectionRequest\ThemeApiPortwinsta0SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\PersonalizeAppsUseLightThemeSystemUsesLightThemedefaultshell\themes\uxtheme\render.cppCompositedWindow::WindowdeletedrcacheMDIClientSoftware\Microsoft\Windows\DWMColorPrevalenceSoftware\Microsoft\Windows\CurrentVersion\ImmersiveShellTabletModeMENUAccentColorSoftware\Microsoft\Windows\CurrentVersion\Explorer\AccentDefaultStartColorControl Panel\DesktopAutoColorizationAccentColorMenuStartColorMenuAutoColorSoftware\Microsoft\Windows\CurrentVersion\Themes\History\ColorsSoftware\Microsoft\Windows\CurrentVersion\Themes\HistoryAccentPaletteTab$Shell_TrayWndLocal\SessionImmersiveColorMutex

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E80698 cpuid

0_2_00E80698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00ED8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00ED8195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EBD27A GetUserNameW,

0_2_00EBD27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E9B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_00E9B952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00E642DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 7344, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 7344, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EE1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00EE1204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EE1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00EE1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	29%	ReversingLabs	Win32.Trojan.AutoitInject
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	high
star-mini.c10r.facebook.com	157.240.195.35	true	false	high
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	high
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	high
twitter.com	104.244.42.129	true	false	high
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	high
services.addons.mozilla.org	151.101.65.91	true	false	high
dyna.wikimedia.org	185.15.58.224	true	false	high
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	high
ax-0001.ax-msedge.net	150.171.27.10	true	false	high
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false	high
contile.services.mozilla.com	34.117.188.166	true	false	high
youtube.com	142.250.181.142	true	false	high
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	high
youtube-ui.l.google.com	172.217.17.46	true	false	high
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	high
reddit.map.fastly.net	151.101.1.140	true	false	high
ipv4only.arpa	192.0.0.170	true	false	high
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	high
push.services.mozilla.com	34.107.243.93	true	false	high
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	high
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	high
www.reddit.com	unknown	unknown	false	high
spocs.getpocket.com	unknown	unknown	false	high
content-signature-2.cdn.mozilla.net	unknown	unknown	false	high
support.mozilla.org	unknown	unknown	false	high
firefox.settings.services.mozilla.com	unknown	unknown	false	high
www.youtube.com	unknown	unknown	false	high
www.facebook.com	unknown	unknown	false	high
detectportal.firefox.com	unknown	unknown	false	high
normandy.cdn.mozilla.net	unknown	unknown	false	high
shavar.services.mozilla.com	unknown	unknown	false	high
www.wikipedia.org	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 00000012.00000002.3424038703.000002064BFB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3427001785.00000232A5B00000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3423166255.000001C13A1B0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 00000010.00000003.2414018515.000001BDBA8CD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2246848207.000001BDBA8C8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2401926544.000001BDBA8B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2410804323.000001BDBBE40000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3423435520.00000232A5AC7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3423563418.000001C13A3C3000.00000004.00000800.00020000.00000000.sdmp	false	high
http://detectportal.firefox.com/	firefox.exe, 00000010.00000003.2395948555.000001BDBC210000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 00000012.00000002.3424038703.000002064BFB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3427001785.00000232A5B00000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3423166255.000001C13A1B0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://datastudio.google.com/embed/reporting/	firefox.exe, 00000010.00000003.2386352878.000001BDC17C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2310438499.000001BDB8DC0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2373185414.000001BDB8121000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2378545885.000001BDC17C7000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.mozilla.com0	gmpopenh264.dll.tmp.16.dr	false	high
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000012.00000002.3425257268.000002064C372000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3423435520.00000232A5A86000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3423563418.000001C13A38E000.00000004.00000800.00020000.00000000.sdmp	false	high
https://json-schema.org/draft/2019-09/schema.	firefox.exe, 00000010.00000003.2378900729.000001BDC0AF0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2387284744.000001BDC0AF0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2397456156.000001BDC0AF3000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 00000012.00000002.3424038703.000002064BFB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3427001785.00000232A5B00000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3423166255.000001C13A1B0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.leboncoin.fr/	firefox.exe, 00000010.00000003.2433506890.000001BDC088C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2389278527.000001BDC088C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2242853321.000001BDC0894000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2242705708.000001BDC08C1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://spocs.getpocket.com/spocs	firefox.exe, 00000010.00000003.2396116010.000001BDBBB8D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://completion.amazon.com/search/complete?q=	firefox.exe, 00000010.00000003.2217945179.000001BDB8053000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2217515085.000001BDB8010000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2216512031.000001BDB7E00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2217765160.000001BDB8032000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 00000012.00000002.3424038703.000002064BFB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3427001785.00000232A5B00000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3423166255.000001C13A1B0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 00000010.00000003.2403440442.000001BDBA0E3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2416133796.000001BDB91BD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2416133796.000001BDB91D1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 00000010.00000003.2385690712.000001BDC291C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2377924927.000001BDC291C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 00000012.00000002.3424038703.000002064BFB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3427001785.00000232A5B00000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3423166255.000001C13A1B0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/breach-details/	firefox.exe, 00000012.00000002.3424038703.000002064BFB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3427001785.00000232A5B00000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3423166255.000001C13A1B0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://github.com/w3c/csswg-drafts/issues/4650	firefox.exe, 00000010.00000003.2410804323.000001BDBBE40000.00000004.00000800.00020000.00000000.sdmp	false	high
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 00000012.00000002.3424038703.000002064BFB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3427001785.00000232A5B00000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3423166255.000001C13A1B0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 00000010.00000003.2217945179.000001BDB8053000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2350931658.000001BDB9DF2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2217515085.000001BDB8010000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2273674322.000001BDB9DF2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2323470078.000001BDB9DF2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2216512031.000001BDB7E00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2357054950.000001BDB9DF2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2217765160.000001BDB8032000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.msn.com	firefox.exe, 00000010.00000003.2393338177.000001BDBB749000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2380960878.000001BDBB749000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/mozilla-services/screenshots	firefox.exe, 00000010.00000003.2217515085.000001BDB8010000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2216512031.000001BDB7E00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2217765160.000001BDB8032000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 00000012.00000002.3424038703.000002064BFB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3427001785.00000232A5B00000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3423166255.000001C13A1B0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 00000012.00000002.3424038703.000002064BFB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3427001785.00000232A5B00000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3423166255.000001C13A1B0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 00000012.00000002.3424038703.000002064BFB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3427001785.00000232A5B00000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3423166255.000001C13A1B0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://youtube.com/	firefox.exe, 00000010.00000003.2409465773.000001BDC063F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2412996516.000001BDBACF5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2396116010.000001BDBBB8D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2400796834.000001BDBACF5000.00000004.00000800.00020000.00000000.sdmp	false	high
https://content-signature-2.cdn.mozilla.net/	firefox.exe, 00000010.00000003.2397493442.000001BDC0AE1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://json-schema.org/draft/2020-12/schema/=	firefox.exe, 00000010.00000003.2378900729.000001BDC0AF0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2387284744.000001BDC0AF0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2397456156.000001BDC0AF3000.00000004.00000800.00020000.00000000.sdmp	false	high
https://youtube.com/account?=https://ac	firefox.exe, 00000013.00000002.3427167332.00000232A5B40000.00000004.00000020.00020000.00000000.sdmp	false	high
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	firefox.exe, 00000010.00000003.2396581943.000001BDC1EB8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.instagram.com/	firefox.exe, 00000010.00000003.2275887600.000001BDB9F22000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2276113775.000001BDB9F24000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2275009217.000001BDB9F22000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 00000012.00000002.3424038703.000002064BFB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3427001785.00000232A5B00000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3423166255.000001C13A1B0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://api.accounts.firefox.com/v1	firefox.exe, 00000012.00000002.3424038703.000002064BFB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3427001785.00000232A5B00000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3423166255.000001C13A1B0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	prefs-1.js.16.dr	false	high
https://www.amazon.com/	firefox.exe, 00000010.00000003.2379816677.000001BDBC27E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2242853321.000001BDC0894000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2242758712.000001BDC08B3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2242705708.000001BDC08C1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 00000012.00000002.3424038703.000002064BFB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3427001785.00000232A5B00000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3423166255.000001C13A1B0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	firefox.exe, 00000010.00000003.2379816677.000001BDBC217000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2389779540.000001BDBC217000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2410495513.000001BDBC21D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 00000012.00000002.3424038703.000002064BFB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3427001785.00000232A5B00000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3423166255.000001C13A1B0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.youtube.com/	firefox.exe, 0000001A.00000002.3423563418.000001C13A30C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 00000010.00000003.2312316360.000001BDBA285000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2312316360.000001BDBA272000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2312997516.000001BDBA299000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 00000012.00000002.3424038703.000002064BFB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3427001785.00000232A5B00000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3423166255.000001C13A1B0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://MD8.mozilla.org/1/m	firefox.exe, 00000010.00000003.2388861705.000001BDC08E2000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.bbc.co.uk/	firefox.exe, 00000010.00000003.2433506890.000001BDC088C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2389278527.000001BDC088C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2242853321.000001BDC0894000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2242705708.000001BDC08C1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 00000010.00000003.2396581943.000001BDC1EB8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 00000010.00000003.2389779540.000001BDBC27E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2246848207.000001BDBA8C8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2401926544.000001BDBA8B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2410804323.000001BDBBE40000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3423435520.00000232A5AC7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3423563418.000001C13A3C3000.00000004.00000800.00020000.00000000.sdmp	false	high
http://127.0.0.1:	firefox.exe, 00000012.00000002.3424038703.000002064BFB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3427001785.00000232A5B00000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3423166255.000001C13A1B0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 00000010.00000003.2312316360.000001BDBA285000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2310767811.000001BDBA254000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2312316360.000001BDBA254000.00000004.00000800.00020000.00000000.sdmp	false	high
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 00000010.00000003.2355230300.000001BDB9D2A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2367255065.000001BDB9D2A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2264287869.000001BDB9D30000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mo	firefox.exe, 00000010.00000003.2407657704.000001BDC1E77000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mitmdetection.services.mozilla.com/	firefox.exe, 00000012.00000002.3424038703.000002064BFB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3427001785.00000232A5B00000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3423166255.000001C13A1B0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 00000010.00000003.2403440442.000001BDBA0E3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2416133796.000001BDB91D1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://youtube.com/account?=	recovery.jsonlz4.tmp.16.dr	false	high
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	firefox.exe, 00000010.00000003.2410495513.000001BDBC21D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://spocs.getpocket.com/	firefox.exe, 00000010.00000003.2411059270.000001BDBBBD9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3423435520.00000232A5A12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3423563418.000001C13A313000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 00000012.00000002.3424038703.000002064BFB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3427001785.00000232A5B00000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3423166255.000001C13A1B0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 00000012.00000002.3424038703.000002064BFB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3427001785.00000232A5B00000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3423166255.000001C13A1B0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 00000012.00000002.3424038703.000002064BFB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3427001785.00000232A5B00000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3423166255.000001C13A1B0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.iqiyi.com/	firefox.exe, 00000010.00000003.2433506890.000001BDC088C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2389278527.000001BDC088C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2242853321.000001BDC0894000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2242705708.000001BDC08C1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 00000012.00000002.3424038703.000002064BFB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3427001785.00000232A5B00000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3423166255.000001C13A1B0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 00000012.00000002.3424038703.000002064BFB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3427001785.00000232A5B00000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3423166255.000001C13A1B0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 00000012.00000002.3424038703.000002064BFB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3427001785.00000232A5B00000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3423166255.000001C13A1B0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://merino.services.mozilla.com/api/v1/suggestabout	firefox.exe, 0000001A.00000002.3423563418.000001C13A38E000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 00000010.00000003.2410804323.000001BDBBE40000.00000004.00000800.00020000.00000000.sdmp	false	high
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 00000012.00000002.3424038703.000002064BFB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3427001785.00000232A5B00000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3423166255.000001C13A1B0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/user/dashboard	firefox.exe, 00000012.00000002.3424038703.000002064BFB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3427001785.00000232A5B00000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3423166255.000001C13A1B0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 00000012.00000002.3424038703.000002064BFB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3427001785.00000232A5B00000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3423166255.000001C13A1B0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/about	firefox.exe, 00000012.00000002.3424038703.000002064BFB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3427001785.00000232A5B00000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3423166255.000001C13A1B0000.00000002.10000000.00040000.00000000.sdmp	false	high
http://mozilla.org/MPL/2.0/.	firefox.exe, 00000010.00000003.2430135708.000001BDB79D0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2362625583.000001BDB85A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2321414995.000001BDBBDD6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2348156070.000001BDB9F5D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2222239558.000001BDB85E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2355230300.000001BDB9D25000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2353698442.000001BDB9D37000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2345348246.000001BDB9F57000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2402660403.000001BDBA7D3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2263141300.000001BDB9D1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2322960409.000001BDBBA83000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2317003978.000001BDB8592000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2317003978.000001BDB85C0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2269487921.000001BDB9F62000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2379816677.000001BDBC217000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2355230300.000001BDB9DA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2410721496.000001BDBBEAE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2369331919.000001BDB79D3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2355230300.000001BDB9D2A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2243076437.000001BDBBEAE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2426614170.000001BDB79D3000.00000004.00000800.00020000.00000000.sdmp	false	high
https://login.microsoftonline.com	firefox.exe, 00000010.00000003.2399664261.000001BDBADA2000.00000004.00000800.00020000.00000000.sdmp	false	high
https://coverage.mozilla.org	firefox.exe, 00000012.00000002.3424038703.000002064BFB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3427001785.00000232A5B00000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3423166255.000001C13A1B0000.00000002.10000000.00040000.00000000.sdmp	false	high
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.16.dr	false	high
https://www.zhihu.com/	firefox.exe, 00000010.00000003.2242705708.000001BDC08C1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://x1.c.lencr.org/0	firefox.exe, 00000010.00000003.2406266359.000001BDB98CA000.00000004.00000800.00020000.00000000.sdmp	false	high
http://x1.i.lencr.org/0	firefox.exe, 00000010.00000003.2406266359.000001BDB98CA000.00000004.00000800.00020000.00000000.sdmp	false	high
https://blocked.cdn.mozilla.net/	firefox.exe, 00000012.00000002.3424038703.000002064BFB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3427001785.00000232A5B00000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3423166255.000001C13A1B0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://profiler.firefox.com	firefox.exe, 00000012.00000002.3424038703.000002064BFB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3427001785.00000232A5B00000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3423166255.000001C13A1B0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://identity.mozilla.com/apps/relay	firefox.exe, 00000010.00000003.2404235361.000001BDB9BF2000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 00000012.00000002.3424038703.000002064BFB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3427001785.00000232A5B00000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3423166255.000001C13A1B0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 00000010.00000003.2393338177.000001BDBB749000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2411941210.000001BDBB753000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2380960878.000001BDBB749000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 00000010.00000003.2312316360.000001BDBA285000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2310767811.000001BDBA254000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2312316360.000001BDBA254000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2312316360.000001BDBA272000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2313081784.000001BDBA27B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2313039600.000001BDBA29D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2312997516.000001BDBA299000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 00000010.00000003.2396581943.000001BDC1EB8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://youtube.com/account?=https://acd	firefox.exe, 0000001A.00000002.3426410008.000001C13A460000.00000004.00000020.00020000.00000000.sdmp	false	high
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 00000010.00000003.2410254889.000001BDBC2B8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2242319259.000001BDC08E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3424038703.000002064BFB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3427001785.00000232A5B00000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3423166255.000001C13A1B0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.amazon.co.uk/	firefox.exe, 00000010.00000003.2433506890.000001BDC088C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2389278527.000001BDC088C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2242853321.000001BDC0894000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2242705708.000001BDC08C1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	firefox.exe, 00000010.00000003.2400179232.000001BDBAD63000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/user/preferences	firefox.exe, 00000012.00000002.3424038703.000002064BFB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3427001785.00000232A5B00000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3423166255.000001C13A1B0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://screenshots.firefox.com/	firefox.exe, 00000010.00000003.2217765160.000001BDB8032000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.google.com/search	firefox.exe, 00000010.00000003.2217945179.000001BDB8053000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2350931658.000001BDB9DF2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2217515085.000001BDB8010000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2273674322.000001BDB9DF2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2323470078.000001BDB9DF2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2216512031.000001BDB7E00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2357054950.000001BDB9DF2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2217765160.000001BDB8032000.00000004.00000800.00020000.00000000.sdmp	false	high
https://gpuweb.github.io/gpuweb/	firefox.exe, 00000010.00000003.2410804323.000001BDBBE40000.00000004.00000800.00020000.00000000.sdmp	false	high
https://relay.firefox.com/api/v1/	firefox.exe, 00000012.00000002.3424038703.000002064BFB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3427001785.00000232A5B00000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3423166255.000001C13A1B0000.00000002.10000000.00040000.00000000.sdmp	false	high
http://json-schema.org/draft-07/schema#-	firefox.exe, 00000010.00000003.2378900729.000001BDC0AF0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2387284744.000001BDC0AF0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2397456156.000001BDC0AF3000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	firefox.exe, 00000012.00000002.3424038703.000002064BFB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3427001785.00000232A5B00000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3423166255.000001C13A1B0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://topsites.services.mozilla.com/cid/	firefox.exe, 00000012.00000002.3424038703.000002064BFB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3427001785.00000232A5B00000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3423166255.000001C13A1B0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.wykop.pl/	firefox.exe, 00000010.00000003.2388861705.000001BDC08B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2242758712.000001BDC08B3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2242705708.000001BDC08C1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://twitter.com/	firefox.exe, 00000010.00000003.2379816677.000001BDBC27E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2242853321.000001BDC0894000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2242758712.000001BDC08B3000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.olx.pl/	firefox.exe, 00000010.00000003.2433506890.000001BDC088C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2388861705.000001BDC08B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2389278527.000001BDC088C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2242853321.000001BDC0894000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2242758712.000001BDC08B3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2242705708.000001BDC08C1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1193802	firefox.exe, 00000010.00000003.2312316360.000001BDBA285000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2312316360.000001BDBA272000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2313081784.000001BDBA27B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2312997516.000001BDBA299000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/products/firefox	firefox.exe, 00000010.00000003.2403893069.000001BDBA052000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2403893069.000001BDBA065000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_	firefox.exe, 00000012.00000002.3425257268.000002064C3CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3423435520.00000232A5AEB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3426949605.000001C13A603000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.16.dr	false	high
https://youtube.com/account?=https://acb	firefox.exe, 00000012.00000002.3424223934.000002064C000000.00000004.00000020.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.181.142	youtube.com	United States	15169	GOOGLEUS	false
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
151.101.65.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1562633
Start date and time:	2024-11-25 20:10:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	31
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/34@66/12
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 95% Number of executed functions: 38 Number of non-executed functions: 310
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.198.119.84, 52.32.237.164, 52.27.142.243, 34.209.229.249, 172.217.17.42, 172.217.17.74, 172.217.17.78, 2.23.167.193, 2.20.255.154, 88.221.134.209, 88.221.134.155, 172.217.17.46
Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, otelrules.azureedge.net, slscr.update.microsoft.com, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, tse1.mm.bing.net, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, g.bing.com, arc.msn.com, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, wns.notify.trafficmanager.net, ocsp.digicert.com, redirector.gvt1.com, ocsp.edge.digicert.com, safebrowsing.googleapis.com, location.services.mozilla.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
14:11:20	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.65.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Cryptbot	Browse	34.116.198.130
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	34.116.198.130
FASTLYUS	http://www.thecrownstate.co.uk/	Get hash	malicious	Unknown	Browse	151.101.192.176
	https://sites.google.com/ceqy.com/rfp/home	Get hash	malicious	HTMLPhisher	Browse	151.101.66.137
	https://yancesybros.com/WHF9842BVD.html	Get hash	malicious	Unknown	Browse	151.101.194.137
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	_Rmcgaughy_Sonicwall inc._Financial...2024-jxj9FL.svg	Get hash	malicious	Unknown	Browse	199.232.196.193
	_Rmcgaughy_Sonicwall inc._Financial...2024-jxj9FL.svg	Get hash	malicious	Unknown	Browse	199.232.196.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	xeno.bat	Get hash	malicious	Unknown	Browse	185.199.110.133
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	http://www.urbanerecycling.com	Get hash	malicious	HTMLPhisher, TechSupportScam	Browse	34.174.208.6
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	la.bot.arm7.elf	Get hash	malicious	Unknown	Browse	34.19.186.170

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_3921d251-4c84-4cb1-8ed6-1478a7460f31.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7946
Entropy (8bit):	5.180075439998098
Encrypted:	false
SSDEEP:	192:4BMXkGZcbhbVbTbfbRbObtbyEl7ngrfJA6unSrDtTkdxSofd:4iZcNhnzFSJArG1nSrDhkdxB
MD5:	684F071B21D701871872B78904B69118
SHA1:	34505E7B3BF27E4FFEA787B9D5E1E3CEF729F0D0
SHA-256:	579355E3EA69B2AA4EE80954853FC6E3BCC2D2FDD07E624C5013EA8FEADD43C2
SHA-512:	C57B163E4DEDAAC2E05A057A9EDE243F469EA3C79B8BD50FACD9E33FE80FFAFDE10DE0C60C3FD315DD22CB4FB1F204BC9AC0F7D5850CF05D9F1141E503C4F398
Malicious:	false
Preview:	{"type":"uninstall","id":"3921d251-4c84-4cb1-8ed6-1478a7460f31","creationDate":"2024-11-25T20:19:31.728Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"7340e351-fad3-4a0f-b554-971fbfafe8fb","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_3921d251-4c84-4cb1-8ed6-1478a7460f31.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7946
Entropy (8bit):	5.180075439998098
Encrypted:	false
SSDEEP:	192:4BMXkGZcbhbVbTbfbRbObtbyEl7ngrfJA6unSrDtTkdxSofd:4iZcNhnzFSJArG1nSrDhkdxB
MD5:	684F071B21D701871872B78904B69118
SHA1:	34505E7B3BF27E4FFEA787B9D5E1E3CEF729F0D0
SHA-256:	579355E3EA69B2AA4EE80954853FC6E3BCC2D2FDD07E624C5013EA8FEADD43C2
SHA-512:	C57B163E4DEDAAC2E05A057A9EDE243F469EA3C79B8BD50FACD9E33FE80FFAFDE10DE0C60C3FD315DD22CB4FB1F204BC9AC0F7D5850CF05D9F1141E503C4F398
Malicious:	false
Preview:	{"type":"uninstall","id":"3921d251-4c84-4cb1-8ed6-1478a7460f31","creationDate":"2024-11-25T20:19:31.728Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"7340e351-fad3-4a0f-b554-971fbfafe8fb","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4419
Entropy (8bit):	4.92970842864824
Encrypted:	false
SSDEEP:	96:gXiNFS+OcPUFEOdwNIOdwBjvYVbsLtk8P:gXiNFS+OcUGOdwiOdwBjkYLtk8P
MD5:	5065F443E8CA8F6516E078142F8786BE
SHA1:	B05073CB5E89FD69994CE79FCA15C16BEFBF683D
SHA-256:	F7737DC36C92ABC07D259039D29B4885DFE87A5C58BA1447F5C163B3C99B4375
SHA-512:	C2E97D1264F84B4F2652AFD79FD04C017D689FF95FFD5115AD316B347952C0B558CE3DE32D026647A85D2E532276BF6F4742FD3D46E61089182A063325E36A40
Malicious:	false
Preview:	{"bookmarks-toolbar-default-on":{"slug":"bookmarks-toolbar-default-on","branch":{"slug":"treatment-a","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"enableBookmarksToolbar":"always"},"enabled":true,"featureId":"bookmarks"}]},"active":true,"enrollmentId":"d48f64a8-a4ab-4cdd-a650-4b386e41a201","experimentType":"nimbus","source":"rs-loader","userFacingName":"Bookmarks Toolbar Default On","userFacingDescription":"An experiment that turns the bookmarks toolbar on by default.","lastSeen":"2023-10-05T06:20:35.557Z","featureIds":["bookmarks"],"prefs":[{"name":"browser.toolbars.bookmarks.visibility","branch":"user","featureId":"bookmarks","variable":"enableBookmarksToolbar","originalValue":null}],"isRollout":false},"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4419
Entropy (8bit):	4.92970842864824
Encrypted:	false
SSDEEP:	96:gXiNFS+OcPUFEOdwNIOdwBjvYVbsLtk8P:gXiNFS+OcUGOdwiOdwBjkYLtk8P
MD5:	5065F443E8CA8F6516E078142F8786BE
SHA1:	B05073CB5E89FD69994CE79FCA15C16BEFBF683D
SHA-256:	F7737DC36C92ABC07D259039D29B4885DFE87A5C58BA1447F5C163B3C99B4375
SHA-512:	C2E97D1264F84B4F2652AFD79FD04C017D689FF95FFD5115AD316B347952C0B558CE3DE32D026647A85D2E532276BF6F4742FD3D46E61089182A063325E36A40
Malicious:	false
Preview:	{"bookmarks-toolbar-default-on":{"slug":"bookmarks-toolbar-default-on","branch":{"slug":"treatment-a","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"enableBookmarksToolbar":"always"},"enabled":true,"featureId":"bookmarks"}]},"active":true,"enrollmentId":"d48f64a8-a4ab-4cdd-a650-4b386e41a201","experimentType":"nimbus","source":"rs-loader","userFacingName":"Bookmarks Toolbar Default On","userFacingDescription":"An experiment that turns the bookmarks toolbar on by default.","lastSeen":"2023-10-05T06:20:35.557Z","featureIds":["bookmarks"],"prefs":[{"name":"browser.toolbars.bookmarks.visibility","branch":"user","featureId":"bookmarks","variable":"enableBookmarksToolbar","originalValue":null}],"isRollout":false},"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5308
Entropy (8bit):	6.599374203470186
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6Uhm:zTx2x2t0FDJ4NpkuvjdeplTMohm
MD5:	EB56C2F4DA9435F3D5574161F414CD17
SHA1:	74A8FC3EC0559740FD9D835B638354985E2DEAB6
SHA-256:	394E803D5FF8E156DFA7D15E96B51A683F4624A1BCF88EAA532399AC2C9B0966
SHA-512:	DF90568D191C757392FB85BDDA5333C7FE7E3BB370C5DE8C50DD810B938D732E39B5608FB4494CAADAE99E1601989FDFC0FEBDCF70F27FFE581F904170A81E0F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5308
Entropy (8bit):	6.599374203470186
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6Uhm:zTx2x2t0FDJ4NpkuvjdeplTMohm
MD5:	EB56C2F4DA9435F3D5574161F414CD17
SHA1:	74A8FC3EC0559740FD9D835B638354985E2DEAB6
SHA-256:	394E803D5FF8E156DFA7D15E96B51A683F4624A1BCF88EAA532399AC2C9B0966
SHA-512:	DF90568D191C757392FB85BDDA5333C7FE7E3BB370C5DE8C50DD810B938D732E39B5608FB4494CAADAE99E1601989FDFC0FEBDCF70F27FFE581F904170A81E0F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 4
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905141882491872
Encrypted:	false
SSDEEP:	24:DLSvwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:DKwae+QtMImelekKDa5
MD5:	8736A542C5564A922C47B19D9CC5E0F2
SHA1:	CE9D58967DA9B5356D6C1D8A482F9CE74DA9097A
SHA-256:	97CE5D8AFBB0AA610219C4FAC3927E32C91BFFD9FD971AF68C718E7B27E40077
SHA-512:	99777325893DC7A95FD49B2DA18D32D65F97CC7A8E482D78EDC32F63245457FA5A52750800C074D552D20B6A215604161FDC88763D93C76A8703470C3064196B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185052013683835
Encrypted:	false
SSDEEP:	768:AI4wvfCXh496G4C4U1W4z4xuHhvp4N4Tc4Z4S4t24U:AruBv3
MD5:	10E2D85FEF0DB266E519048D63617FA8
SHA1:	EBB307C44EBEFFA271AC58FDDE5C3A1BA52AE7B0
SHA-256:	92143A48F55639B5BD01385D0E4E78EDED4F84401A91C12AC06251EE188CFE0E
SHA-512:	164CBE725B44020AD40D165A1B1C242A7016ED8933AB9502D0D38E6CD99887D9DF49533DE54068AA4E5D8476C7791B52518A8477B8961475B7CB2C3AF54B81B1
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{87ef1fa3-cb84-4bbf-a615-45a1d14b629d}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185052013683835
Encrypted:	false
SSDEEP:	768:AI4wvfCXh496G4C4U1W4z4xuHhvp4N4Tc4Z4S4t24U:AruBv3
MD5:	10E2D85FEF0DB266E519048D63617FA8
SHA1:	EBB307C44EBEFFA271AC58FDDE5C3A1BA52AE7B0
SHA-256:	92143A48F55639B5BD01385D0E4E78EDED4F84401A91C12AC06251EE188CFE0E
SHA-512:	164CBE725B44020AD40D165A1B1C242A7016ED8933AB9502D0D38E6CD99887D9DF49533DE54068AA4E5D8476C7791B52518A8477B8961475B7CB2C3AF54B81B1
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{87ef1fa3-cb84-4bbf-a615-45a1d14b629d}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07318605941237004
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zki:DLhesh7Owd4+ji
MD5:	3DBCE18EFEED733AACF7CAC005D571CE
SHA1:	433B557CEAF63B86DA7CE3CB648199F10DFFADE6
SHA-256:	30A1B94A95FED03362A6448E0F9E000AC2F2556197AB3C49ECA272234D8C2047
SHA-512:	75FEFF6C9C05460F37CCDD0330A907567DF607B1507859FF41F74D2E1EE57BDF80416401D2ADDEA5A93805598B75E9306D2F4E22D74C86EB8FDA102A1E4DCF32
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.035447157006298996
Encrypted:	false
SSDEEP:	6:GtWtq3g4L0H9MoPWtq3g4L0H9UtlJ89XuM:s3ACG3AaZsuM
MD5:	B611B34DF3444B4ABCE79706EDEDA48C
SHA1:	3296C81BB501861A4FFFF9AF36F033F5C32533C3
SHA-256:	50DD737D70D4ECE069CCE4F8E34561A8EB330B211C9A0DDB366A22986AA2943B
SHA-512:	9F55459BF0BF549702079307026119DA7382EEBC0AE86C8F51A462895E7F72335A9445F732D89D9DBBCF78276C38DDFC5A7B398F104FE4C4FB6D9DC406ED34C6
Malicious:	false
Preview:	..-.......................rB.h<.....[.t...Q.{.9..-.......................rB.h<.....[.t...Q.{.9........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.034962091109837466
Encrypted:	false
SSDEEP:	3:Ol1kv7IUiIpL0HnXDziSrV//mwl8XW3R2:Kqv7jL0HnX3xpuw93w
MD5:	411C26831F871C983E9A4CA8D9ED62FA
SHA1:	2D53F7083D8115E9B21045B2DA9CA55ECF8A0B64
SHA-256:	DB0ACFDC610D71F80988118FE3961E1A0202E91C4F6CF5E5C6176C7D22F021DF
SHA-512:	3B62D3596BC4D8D58C6452CEB4EF1032EA541E6CD931FD2C2DFFDFD8CF7987201F3F3D572C16BC262EEEAEE998D1155A27498325F34973AD5E736BFAA01898D7
Malicious:	false
Preview:	7....-..............[.t.U ..1..............[.tBr...<h.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1717), with CRLF line terminators
Category:	dropped
Size (bytes):	14081
Entropy (8bit):	5.468081920826469
Encrypted:	false
SSDEEP:	192:unTFTRRUYbBp6iLZNMGaXo6qU4pCzy+/3/79P5RYiNBw8dBSl:0KenFNMPWCyCxdwS0
MD5:	F30985B3BEAA2DC264134463E153CC62
SHA1:	2EA8FC38E329CC797F3086A1CCD0BFA0456B5EC5
SHA-256:	A2435368B3133C088658BC36D8227DC83E458F2C793684BED55B1F8892A9283A
SHA-512:	71027E66511FF14962EF793CF10382CE607F85E8BCBF57C376F2D1E20C11B41D24B692BC90B0F6FDB2017FD7A8C02CE0E88CE55756E56EB460BD30C77A62CB9C
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "a24b7aae-efcd-4433-83ad-3649b8231e2d");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1732565942);..user_pref("app.update.lastUpdateTime.background-update-timer", 1732565942);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1732565942);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173256

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1717), with CRLF line terminators
Category:	dropped
Size (bytes):	14081
Entropy (8bit):	5.468081920826469
Encrypted:	false
SSDEEP:	192:unTFTRRUYbBp6iLZNMGaXo6qU4pCzy+/3/79P5RYiNBw8dBSl:0KenFNMPWCyCxdwS0
MD5:	F30985B3BEAA2DC264134463E153CC62
SHA1:	2EA8FC38E329CC797F3086A1CCD0BFA0456B5EC5
SHA-256:	A2435368B3133C088658BC36D8227DC83E458F2C793684BED55B1F8892A9283A
SHA-512:	71027E66511FF14962EF793CF10382CE607F85E8BCBF57C376F2D1E20C11B41D24B692BC90B0F6FDB2017FD7A8C02CE0E88CE55756E56EB460BD30C77A62CB9C
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "a24b7aae-efcd-4433-83ad-3649b8231e2d");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1732565942);..user_pref("app.update.lastUpdateTime.background-update-timer", 1732565942);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1732565942);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173256

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	3:lSGBl/l/zl9l/AltllPltlnKollzvulJOlzALRWemFxu7TuRjBFbrl58lcV+wgn8:ltBl/lqN1K4BEJYqWvLue3FMOrMZ0l
MD5:	60C09456D6362C6FBED48C69AA342C3C
SHA1:	58B6E22DAA48C75958B429F662DEC1C011AE74D3
SHA-256:	FE1A432A2CD096B7EEA870D46D07F5197E34B4D10666E6E1C357FAA3F2FE2389
SHA-512:	936DBC887276EF07732783B50EAFE450A8598B0492B8F6C838B337EF3E8A6EA595E7C7A2FA4B3E881887FAAE2D207B953A4C65ED8C964D93118E00D3E03882BD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1573
Entropy (8bit):	6.335769303301496
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSM+jLXnIgpZG/pnxQwRlszT5sKL093eHVvwKXTJamhujJmyOOxmOmm:GUpOx+jKnR6S3eNwCTJ4JNKRh4
MD5:	F720D767A3EFA5AD3E51C10DA57E3DE0
SHA1:	482ACDCC2950F57EFE02D6B4562FB4D19E653ED7
SHA-256:	5F968A5464F47762C940FF3263E66F01F0EC28EB721A29E345B80048E997734D
SHA-512:	EBE9C8E0EF651EB115729EB5483D3C57617FD8180B13BA8F1A96CDF68A712A873DFBB9683DBF12451B70234FD77CB807FB8C37E0BF3E0B1E0BE3C23037E81051
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{4740c060-34c1-426d-8e81-791f8d599c7b}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1732565946885,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...46f3a197-db49-410a-81b3-94975c835573","zD..1...Wm..l........j..:....1":{..jUpdate...6,"startTim..P11413...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abfc0b67c202aaf415a5b7a51708a5c3270bb6f2f7664428a48797f00afbef6fc","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...15982,"originA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1573
Entropy (8bit):	6.335769303301496
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSM+jLXnIgpZG/pnxQwRlszT5sKL093eHVvwKXTJamhujJmyOOxmOmm:GUpOx+jKnR6S3eNwCTJ4JNKRh4
MD5:	F720D767A3EFA5AD3E51C10DA57E3DE0
SHA1:	482ACDCC2950F57EFE02D6B4562FB4D19E653ED7
SHA-256:	5F968A5464F47762C940FF3263E66F01F0EC28EB721A29E345B80048E997734D
SHA-512:	EBE9C8E0EF651EB115729EB5483D3C57617FD8180B13BA8F1A96CDF68A712A873DFBB9683DBF12451B70234FD77CB807FB8C37E0BF3E0B1E0BE3C23037E81051
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{4740c060-34c1-426d-8e81-791f8d599c7b}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1732565946885,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...46f3a197-db49-410a-81b3-94975c835573","zD..1...Wm..l........j..:....1":{..jUpdate...6,"startTim..P11413...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abfc0b67c202aaf415a5b7a51708a5c3270bb6f2f7664428a48797f00afbef6fc","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...15982,"originA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1573
Entropy (8bit):	6.335769303301496
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSM+jLXnIgpZG/pnxQwRlszT5sKL093eHVvwKXTJamhujJmyOOxmOmm:GUpOx+jKnR6S3eNwCTJ4JNKRh4
MD5:	F720D767A3EFA5AD3E51C10DA57E3DE0
SHA1:	482ACDCC2950F57EFE02D6B4562FB4D19E653ED7
SHA-256:	5F968A5464F47762C940FF3263E66F01F0EC28EB721A29E345B80048E997734D
SHA-512:	EBE9C8E0EF651EB115729EB5483D3C57617FD8180B13BA8F1A96CDF68A712A873DFBB9683DBF12451B70234FD77CB807FB8C37E0BF3E0B1E0BE3C23037E81051
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{4740c060-34c1-426d-8e81-791f8d599c7b}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1732565946885,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...46f3a197-db49-410a-81b3-94975c835573","zD..1...Wm..l........j..:....1":{..jUpdate...6,"startTim..P11413...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abfc0b67c202aaf415a5b7a51708a5c3270bb6f2f7664428a48797f00afbef6fc","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...15982,"originA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 4, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.042811512334329
Encrypted:	false
SSDEEP:	24:JBkSldh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jkSWEUo9LXtR+JdkOnohYsl
MD5:	21235938025E2102017AC8C9748948A4
SHA1:	A1EED1C4588724A8396C95FC9923C0A33B360FF8
SHA-256:	E34B06B180E3F73DC8E441650BB7FE694A9D58E927412D6ED40B0852B784824E
SHA-512:	D334B419A2A75179C17D7F53BF65FCC132ADE03B21059F0007ACDBB08284A281D8CE1C1CC598E6A070024D0DAE158E2E9618E121342BE068E87A051FE33D6061
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4411
Entropy (8bit):	5.009448075790432
Encrypted:	false
SSDEEP:	48:YrSAYD/HqUQZpExB1+anOdW6VhOGVpWJzzcsYMsku7f86SLAVL775FtsfAcbyJF4:ycD/CTEr5NfJzzcBvbw6Kkvrc2Rn27
MD5:	2A481FB5A4CDCDCCEC031EC7942E45C0
SHA1:	AED334C8DB0A11047DE7D21931732E7A68E8EA3E
SHA-256:	A07062686E1B1F483624E1AFFC02E8C6FC83D3E84FB6868FFD6CF5AE76E1366F
SHA-512:	A0F7E2C42E7DE4167F501C0E3615282D34286EE39049DC37CA5B78CA6CAB4E1F2EE6EEE1253BFF59767A226F82BE7E5E5E31103614E0ACF024517004B3D3DD5D
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-11-25T20:18:50.764Z","profileAgeCreated":1696486829272,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4411
Entropy (8bit):	5.009448075790432
Encrypted:	false
SSDEEP:	48:YrSAYD/HqUQZpExB1+anOdW6VhOGVpWJzzcsYMsku7f86SLAVL775FtsfAcbyJF4:ycD/CTEr5NfJzzcBvbw6Kkvrc2Rn27
MD5:	2A481FB5A4CDCDCCEC031EC7942E45C0
SHA1:	AED334C8DB0A11047DE7D21931732E7A68E8EA3E
SHA-256:	A07062686E1B1F483624E1AFFC02E8C6FC83D3E84FB6868FFD6CF5AE76E1366F
SHA-512:	A0F7E2C42E7DE4167F501C0E3615282D34286EE39049DC37CA5B78CA6CAB4E1F2EE6EEE1253BFF59767A226F82BE7E5E5E31103614E0ACF024517004B3D3DD5D
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-11-25T20:18:50.764Z","profileAgeCreated":1696486829272,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.592342883257498
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	922'624 bytes
MD5:	3add5a1a6f0235a959501f89d3e16242
SHA1:	126448447379b70593d3b074b295cefcf43a5c3f
SHA256:	c4dd5e0c0b5d47ce6077df70ee5922c3bfc56fada6e41f2015ae0815b0396f89
SHA512:	b6e8a938e10da4c5a5a2d5195551b839c82a87a225a6a41ea99f87ab33369e7498f229637d2aa9273b68c4e20f30b5f84381d83a54459988fe6e2cda7155039e
SSDEEP:	12288:CEqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgaGTM:rqDEvCTbMWu7rQYlBQcBiT6rprG8aeM
TLSH:	FF159E0273D1C062FF9B92334B5AF6515BBC69260123E61F13A81DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6744CB3D [Mon Nov 25 19:08:45 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007FBA810466A3h
jmp 00007FBA81045FAFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FBA8104618Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FBA8104615Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FBA81048D4Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007FBA81048D98h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007FBA81048D81h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0xa854	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xdf000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0xa854	0xaa00	5b801a0120f37229a7b00551c0ee0fa0	False	0.36861213235294116	data	5.646339959931224	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xdf000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x1b1a	data			1.0015854713173826
RT_GROUP_ICON	0xde2d4	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xde34c	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xde360	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xde374	0x14	data	English	Great Britain	1.25
RT_VERSION	0xde388	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xde464	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2024 20:11:12.945594072 CET	49724	443	192.168.2.6	35.190.72.216
Nov 25, 2024 20:11:12.945635080 CET	443	49724	35.190.72.216	192.168.2.6
Nov 25, 2024 20:11:12.945847988 CET	49724	443	192.168.2.6	35.190.72.216
Nov 25, 2024 20:11:12.950761080 CET	49724	443	192.168.2.6	35.190.72.216
Nov 25, 2024 20:11:12.950778008 CET	443	49724	35.190.72.216	192.168.2.6
Nov 25, 2024 20:11:14.275588036 CET	443	49724	35.190.72.216	192.168.2.6
Nov 25, 2024 20:11:14.275782108 CET	49724	443	192.168.2.6	35.190.72.216
Nov 25, 2024 20:11:14.286547899 CET	49724	443	192.168.2.6	35.190.72.216
Nov 25, 2024 20:11:14.286561966 CET	443	49724	35.190.72.216	192.168.2.6
Nov 25, 2024 20:11:14.286684036 CET	49724	443	192.168.2.6	35.190.72.216
Nov 25, 2024 20:11:14.286830902 CET	443	49724	35.190.72.216	192.168.2.6
Nov 25, 2024 20:11:14.289246082 CET	49724	443	192.168.2.6	35.190.72.216
Nov 25, 2024 20:11:14.320605993 CET	49726	443	192.168.2.6	142.250.181.142
Nov 25, 2024 20:11:14.320657969 CET	443	49726	142.250.181.142	192.168.2.6
Nov 25, 2024 20:11:14.320765018 CET	49727	443	192.168.2.6	142.250.181.142
Nov 25, 2024 20:11:14.320825100 CET	443	49727	142.250.181.142	192.168.2.6
Nov 25, 2024 20:11:14.321842909 CET	49726	443	192.168.2.6	142.250.181.142
Nov 25, 2024 20:11:14.321908951 CET	49727	443	192.168.2.6	142.250.181.142
Nov 25, 2024 20:11:14.323182106 CET	49726	443	192.168.2.6	142.250.181.142
Nov 25, 2024 20:11:14.323199987 CET	443	49726	142.250.181.142	192.168.2.6
Nov 25, 2024 20:11:14.324533939 CET	49727	443	192.168.2.6	142.250.181.142
Nov 25, 2024 20:11:14.324549913 CET	443	49727	142.250.181.142	192.168.2.6
Nov 25, 2024 20:11:14.324734926 CET	49728	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:11:14.445965052 CET	80	49728	34.107.221.82	192.168.2.6
Nov 25, 2024 20:11:14.446100950 CET	49728	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:11:14.446259022 CET	49728	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:11:14.566216946 CET	80	49728	34.107.221.82	192.168.2.6
Nov 25, 2024 20:11:15.096558094 CET	49729	443	192.168.2.6	35.244.181.201
Nov 25, 2024 20:11:15.096597910 CET	443	49729	35.244.181.201	192.168.2.6
Nov 25, 2024 20:11:15.096873999 CET	49730	443	192.168.2.6	34.117.188.166
Nov 25, 2024 20:11:15.096884012 CET	443	49730	34.117.188.166	192.168.2.6
Nov 25, 2024 20:11:15.097737074 CET	49731	443	192.168.2.6	34.117.188.166
Nov 25, 2024 20:11:15.097784042 CET	443	49731	34.117.188.166	192.168.2.6
Nov 25, 2024 20:11:15.099446058 CET	49729	443	192.168.2.6	35.244.181.201
Nov 25, 2024 20:11:15.099446058 CET	49730	443	192.168.2.6	34.117.188.166
Nov 25, 2024 20:11:15.099510908 CET	49731	443	192.168.2.6	34.117.188.166
Nov 25, 2024 20:11:15.099812031 CET	49729	443	192.168.2.6	35.244.181.201
Nov 25, 2024 20:11:15.099828005 CET	443	49729	35.244.181.201	192.168.2.6
Nov 25, 2024 20:11:15.101254940 CET	49730	443	192.168.2.6	34.117.188.166
Nov 25, 2024 20:11:15.101269007 CET	443	49730	34.117.188.166	192.168.2.6
Nov 25, 2024 20:11:15.102525949 CET	49731	443	192.168.2.6	34.117.188.166
Nov 25, 2024 20:11:15.102547884 CET	443	49731	34.117.188.166	192.168.2.6
Nov 25, 2024 20:11:15.453555107 CET	49733	443	192.168.2.6	34.160.144.191
Nov 25, 2024 20:11:15.453583956 CET	443	49733	34.160.144.191	192.168.2.6
Nov 25, 2024 20:11:15.453767061 CET	49733	443	192.168.2.6	34.160.144.191
Nov 25, 2024 20:11:15.453943014 CET	49733	443	192.168.2.6	34.160.144.191
Nov 25, 2024 20:11:15.453955889 CET	443	49733	34.160.144.191	192.168.2.6
Nov 25, 2024 20:11:15.578346014 CET	80	49728	34.107.221.82	192.168.2.6
Nov 25, 2024 20:11:15.652178049 CET	49728	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:11:16.063229084 CET	49743	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:11:16.069231033 CET	443	49726	142.250.181.142	192.168.2.6
Nov 25, 2024 20:11:16.070262909 CET	443	49726	142.250.181.142	192.168.2.6
Nov 25, 2024 20:11:16.073518038 CET	49726	443	192.168.2.6	142.250.181.142
Nov 25, 2024 20:11:16.073548079 CET	443	49726	142.250.181.142	192.168.2.6
Nov 25, 2024 20:11:16.077481031 CET	49726	443	192.168.2.6	142.250.181.142
Nov 25, 2024 20:11:16.077497959 CET	443	49726	142.250.181.142	192.168.2.6
Nov 25, 2024 20:11:16.077575922 CET	49726	443	192.168.2.6	142.250.181.142
Nov 25, 2024 20:11:16.077889919 CET	443	49726	142.250.181.142	192.168.2.6
Nov 25, 2024 20:11:16.077953100 CET	49726	443	192.168.2.6	142.250.181.142
Nov 25, 2024 20:11:16.112091064 CET	443	49727	142.250.181.142	192.168.2.6
Nov 25, 2024 20:11:16.113132000 CET	443	49727	142.250.181.142	192.168.2.6
Nov 25, 2024 20:11:16.115581036 CET	49727	443	192.168.2.6	142.250.181.142
Nov 25, 2024 20:11:16.115608931 CET	443	49727	142.250.181.142	192.168.2.6
Nov 25, 2024 20:11:16.119602919 CET	49727	443	192.168.2.6	142.250.181.142
Nov 25, 2024 20:11:16.119632006 CET	443	49727	142.250.181.142	192.168.2.6
Nov 25, 2024 20:11:16.119707108 CET	49727	443	192.168.2.6	142.250.181.142
Nov 25, 2024 20:11:16.119829893 CET	443	49727	142.250.181.142	192.168.2.6
Nov 25, 2024 20:11:16.126868963 CET	49727	443	192.168.2.6	142.250.181.142
Nov 25, 2024 20:11:16.183218956 CET	80	49743	34.107.221.82	192.168.2.6
Nov 25, 2024 20:11:16.189416885 CET	49743	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:11:16.189760923 CET	49743	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:11:16.310615063 CET	80	49743	34.107.221.82	192.168.2.6
Nov 25, 2024 20:11:16.381594896 CET	443	49729	35.244.181.201	192.168.2.6
Nov 25, 2024 20:11:16.381743908 CET	49729	443	192.168.2.6	35.244.181.201
Nov 25, 2024 20:11:16.383117914 CET	443	49730	34.117.188.166	192.168.2.6
Nov 25, 2024 20:11:16.384615898 CET	49729	443	192.168.2.6	35.244.181.201
Nov 25, 2024 20:11:16.384635925 CET	443	49729	35.244.181.201	192.168.2.6
Nov 25, 2024 20:11:16.384850025 CET	49730	443	192.168.2.6	34.117.188.166
Nov 25, 2024 20:11:16.385643959 CET	443	49729	35.244.181.201	192.168.2.6
Nov 25, 2024 20:11:16.387485981 CET	443	49731	34.117.188.166	192.168.2.6
Nov 25, 2024 20:11:16.388072014 CET	49729	443	192.168.2.6	35.244.181.201
Nov 25, 2024 20:11:16.388174057 CET	49729	443	192.168.2.6	35.244.181.201
Nov 25, 2024 20:11:16.388490915 CET	443	49729	35.244.181.201	192.168.2.6
Nov 25, 2024 20:11:16.388571978 CET	49729	443	192.168.2.6	35.244.181.201
Nov 25, 2024 20:11:16.388787031 CET	49731	443	192.168.2.6	34.117.188.166
Nov 25, 2024 20:11:16.392559052 CET	49730	443	192.168.2.6	34.117.188.166
Nov 25, 2024 20:11:16.392612934 CET	443	49730	34.117.188.166	192.168.2.6
Nov 25, 2024 20:11:16.392699957 CET	49730	443	192.168.2.6	34.117.188.166
Nov 25, 2024 20:11:16.392869949 CET	443	49730	34.117.188.166	192.168.2.6
Nov 25, 2024 20:11:16.393085003 CET	49730	443	192.168.2.6	34.117.188.166
Nov 25, 2024 20:11:16.393265009 CET	49731	443	192.168.2.6	34.117.188.166
Nov 25, 2024 20:11:16.393276930 CET	443	49731	34.117.188.166	192.168.2.6
Nov 25, 2024 20:11:16.393373013 CET	49731	443	192.168.2.6	34.117.188.166
Nov 25, 2024 20:11:16.393596888 CET	443	49731	34.117.188.166	192.168.2.6
Nov 25, 2024 20:11:16.393745899 CET	49744	443	192.168.2.6	34.117.188.166
Nov 25, 2024 20:11:16.393791914 CET	443	49744	34.117.188.166	192.168.2.6
Nov 25, 2024 20:11:16.393799067 CET	49731	443	192.168.2.6	34.117.188.166
Nov 25, 2024 20:11:16.393909931 CET	49744	443	192.168.2.6	34.117.188.166
Nov 25, 2024 20:11:16.395250082 CET	49744	443	192.168.2.6	34.117.188.166
Nov 25, 2024 20:11:16.395267963 CET	443	49744	34.117.188.166	192.168.2.6
Nov 25, 2024 20:11:16.458250046 CET	49728	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:11:16.579564095 CET	80	49728	34.107.221.82	192.168.2.6
Nov 25, 2024 20:11:16.579672098 CET	49728	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:11:16.719624043 CET	443	49733	34.160.144.191	192.168.2.6
Nov 25, 2024 20:11:16.719705105 CET	49733	443	192.168.2.6	34.160.144.191
Nov 25, 2024 20:11:16.722534895 CET	49733	443	192.168.2.6	34.160.144.191
Nov 25, 2024 20:11:16.722543955 CET	443	49733	34.160.144.191	192.168.2.6
Nov 25, 2024 20:11:16.722747087 CET	443	49733	34.160.144.191	192.168.2.6
Nov 25, 2024 20:11:16.724828005 CET	49733	443	192.168.2.6	34.160.144.191
Nov 25, 2024 20:11:16.724941969 CET	443	49733	34.160.144.191	192.168.2.6
Nov 25, 2024 20:11:16.724950075 CET	49733	443	192.168.2.6	34.160.144.191
Nov 25, 2024 20:11:16.724955082 CET	443	49733	34.160.144.191	192.168.2.6
Nov 25, 2024 20:11:16.725332975 CET	49746	443	192.168.2.6	34.160.144.191
Nov 25, 2024 20:11:16.725373030 CET	443	49746	34.160.144.191	192.168.2.6
Nov 25, 2024 20:11:16.725550890 CET	49733	443	192.168.2.6	34.160.144.191
Nov 25, 2024 20:11:16.725555897 CET	49746	443	192.168.2.6	34.160.144.191
Nov 25, 2024 20:11:16.725703001 CET	49746	443	192.168.2.6	34.160.144.191
Nov 25, 2024 20:11:16.725718021 CET	443	49746	34.160.144.191	192.168.2.6
Nov 25, 2024 20:11:16.866769075 CET	49747	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:11:16.991487980 CET	80	49747	34.107.221.82	192.168.2.6
Nov 25, 2024 20:11:16.991573095 CET	49747	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:11:16.991758108 CET	49747	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:11:17.118103027 CET	80	49747	34.107.221.82	192.168.2.6
Nov 25, 2024 20:11:17.370151043 CET	80	49743	34.107.221.82	192.168.2.6
Nov 25, 2024 20:11:17.370440006 CET	49743	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:11:17.490937948 CET	80	49743	34.107.221.82	192.168.2.6
Nov 25, 2024 20:11:17.491014004 CET	49743	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:11:17.663461924 CET	443	49744	34.117.188.166	192.168.2.6
Nov 25, 2024 20:11:17.667743921 CET	49744	443	192.168.2.6	34.117.188.166
Nov 25, 2024 20:11:17.672102928 CET	49744	443	192.168.2.6	34.117.188.166
Nov 25, 2024 20:11:17.672123909 CET	443	49744	34.117.188.166	192.168.2.6
Nov 25, 2024 20:11:17.672189951 CET	49744	443	192.168.2.6	34.117.188.166
Nov 25, 2024 20:11:17.672596931 CET	443	49744	34.117.188.166	192.168.2.6
Nov 25, 2024 20:11:17.673481941 CET	49744	443	192.168.2.6	34.117.188.166
Nov 25, 2024 20:11:18.035748959 CET	443	49746	34.160.144.191	192.168.2.6
Nov 25, 2024 20:11:18.036223888 CET	49746	443	192.168.2.6	34.160.144.191
Nov 25, 2024 20:11:18.038957119 CET	49746	443	192.168.2.6	34.160.144.191
Nov 25, 2024 20:11:18.038966894 CET	443	49746	34.160.144.191	192.168.2.6
Nov 25, 2024 20:11:18.039201021 CET	443	49746	34.160.144.191	192.168.2.6
Nov 25, 2024 20:11:18.041136980 CET	49746	443	192.168.2.6	34.160.144.191
Nov 25, 2024 20:11:18.041208982 CET	49746	443	192.168.2.6	34.160.144.191
Nov 25, 2024 20:11:18.041290045 CET	443	49746	34.160.144.191	192.168.2.6
Nov 25, 2024 20:11:18.041656971 CET	49746	443	192.168.2.6	34.160.144.191
Nov 25, 2024 20:11:18.083441019 CET	80	49747	34.107.221.82	192.168.2.6
Nov 25, 2024 20:11:18.135046005 CET	49747	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:11:21.071146965 CET	49762	443	192.168.2.6	34.117.188.166
Nov 25, 2024 20:11:21.071201086 CET	443	49762	34.117.188.166	192.168.2.6
Nov 25, 2024 20:11:21.071424007 CET	49762	443	192.168.2.6	34.117.188.166
Nov 25, 2024 20:11:21.072947025 CET	49762	443	192.168.2.6	34.117.188.166
Nov 25, 2024 20:11:21.072961092 CET	443	49762	34.117.188.166	192.168.2.6
Nov 25, 2024 20:11:21.074543953 CET	49763	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:11:21.074543953 CET	49747	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:11:21.196707010 CET	80	49763	34.107.221.82	192.168.2.6
Nov 25, 2024 20:11:21.196765900 CET	80	49747	34.107.221.82	192.168.2.6
Nov 25, 2024 20:11:21.196850061 CET	49763	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:11:21.197010994 CET	49763	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:11:21.317215919 CET	80	49763	34.107.221.82	192.168.2.6
Nov 25, 2024 20:11:21.407756090 CET	80	49747	34.107.221.82	192.168.2.6
Nov 25, 2024 20:11:21.535146952 CET	49747	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:11:21.652606010 CET	49763	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:11:21.814223051 CET	80	49763	34.107.221.82	192.168.2.6
Nov 25, 2024 20:11:22.125320911 CET	80	49763	34.107.221.82	192.168.2.6
Nov 25, 2024 20:11:22.125545025 CET	49763	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:11:22.356374979 CET	443	49762	34.117.188.166	192.168.2.6
Nov 25, 2024 20:11:22.356465101 CET	49762	443	192.168.2.6	34.117.188.166
Nov 25, 2024 20:11:22.361272097 CET	49762	443	192.168.2.6	34.117.188.166
Nov 25, 2024 20:11:22.361284018 CET	443	49762	34.117.188.166	192.168.2.6
Nov 25, 2024 20:11:22.361408949 CET	49762	443	192.168.2.6	34.117.188.166
Nov 25, 2024 20:11:22.361440897 CET	443	49762	34.117.188.166	192.168.2.6
Nov 25, 2024 20:11:22.361494064 CET	49762	443	192.168.2.6	34.117.188.166
Nov 25, 2024 20:11:22.377676010 CET	49767	443	192.168.2.6	34.117.188.166
Nov 25, 2024 20:11:22.377773046 CET	443	49767	34.117.188.166	192.168.2.6
Nov 25, 2024 20:11:22.377921104 CET	49767	443	192.168.2.6	34.117.188.166
Nov 25, 2024 20:11:22.379282951 CET	49767	443	192.168.2.6	34.117.188.166
Nov 25, 2024 20:11:22.379334927 CET	443	49767	34.117.188.166	192.168.2.6
Nov 25, 2024 20:11:23.668513060 CET	443	49767	34.117.188.166	192.168.2.6
Nov 25, 2024 20:11:23.668606043 CET	49767	443	192.168.2.6	34.117.188.166
Nov 25, 2024 20:11:23.673006058 CET	49767	443	192.168.2.6	34.117.188.166
Nov 25, 2024 20:11:23.673019886 CET	443	49767	34.117.188.166	192.168.2.6
Nov 25, 2024 20:11:23.673103094 CET	49767	443	192.168.2.6	34.117.188.166
Nov 25, 2024 20:11:23.673207045 CET	443	49767	34.117.188.166	192.168.2.6
Nov 25, 2024 20:11:23.674562931 CET	49767	443	192.168.2.6	34.117.188.166
Nov 25, 2024 20:11:26.165215015 CET	49776	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:11:26.199193001 CET	49777	443	192.168.2.6	34.107.243.93
Nov 25, 2024 20:11:26.199235916 CET	443	49777	34.107.243.93	192.168.2.6
Nov 25, 2024 20:11:26.202471018 CET	49777	443	192.168.2.6	34.107.243.93
Nov 25, 2024 20:11:26.203927994 CET	49777	443	192.168.2.6	34.107.243.93
Nov 25, 2024 20:11:26.203948021 CET	443	49777	34.107.243.93	192.168.2.6
Nov 25, 2024 20:11:26.262140989 CET	49747	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:11:26.285228014 CET	80	49776	34.107.221.82	192.168.2.6
Nov 25, 2024 20:11:26.285305023 CET	49776	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:11:26.285474062 CET	49776	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:11:26.328831911 CET	49778	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:11:26.328875065 CET	443	49778	34.120.208.123	192.168.2.6
Nov 25, 2024 20:11:26.329133034 CET	49778	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:11:26.330537081 CET	49778	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:11:26.330548048 CET	443	49778	34.120.208.123	192.168.2.6
Nov 25, 2024 20:11:26.382234097 CET	80	49747	34.107.221.82	192.168.2.6
Nov 25, 2024 20:11:26.405437946 CET	80	49776	34.107.221.82	192.168.2.6
Nov 25, 2024 20:11:26.483541965 CET	49779	443	192.168.2.6	35.244.181.201
Nov 25, 2024 20:11:26.483581066 CET	443	49779	35.244.181.201	192.168.2.6
Nov 25, 2024 20:11:26.484097004 CET	49779	443	192.168.2.6	35.244.181.201
Nov 25, 2024 20:11:26.486957073 CET	49779	443	192.168.2.6	35.244.181.201
Nov 25, 2024 20:11:26.486968994 CET	443	49779	35.244.181.201	192.168.2.6
Nov 25, 2024 20:11:26.577317953 CET	80	49747	34.107.221.82	192.168.2.6
Nov 25, 2024 20:11:26.622951984 CET	49747	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:11:27.183198929 CET	49776	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:11:27.305722952 CET	80	49776	34.107.221.82	192.168.2.6
Nov 25, 2024 20:11:27.305794001 CET	49776	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:11:27.423090935 CET	443	49777	34.107.243.93	192.168.2.6
Nov 25, 2024 20:11:27.423218012 CET	49777	443	192.168.2.6	34.107.243.93
Nov 25, 2024 20:11:27.428416967 CET	49777	443	192.168.2.6	34.107.243.93
Nov 25, 2024 20:11:27.428426027 CET	443	49777	34.107.243.93	192.168.2.6
Nov 25, 2024 20:11:27.428503036 CET	49777	443	192.168.2.6	34.107.243.93
Nov 25, 2024 20:11:27.428687096 CET	443	49777	34.107.243.93	192.168.2.6
Nov 25, 2024 20:11:27.428750992 CET	49777	443	192.168.2.6	34.107.243.93
Nov 25, 2024 20:11:27.433326006 CET	49785	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:11:27.441713095 CET	49747	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:11:27.554800034 CET	80	49785	34.107.221.82	192.168.2.6
Nov 25, 2024 20:11:27.560775042 CET	49785	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:11:27.561155081 CET	49785	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:11:27.562782049 CET	80	49747	34.107.221.82	192.168.2.6
Nov 25, 2024 20:11:27.585541010 CET	49786	443	192.168.2.6	34.149.100.209
Nov 25, 2024 20:11:27.585592985 CET	443	49786	34.149.100.209	192.168.2.6
Nov 25, 2024 20:11:27.589509010 CET	49786	443	192.168.2.6	34.149.100.209
Nov 25, 2024 20:11:27.591036081 CET	49786	443	192.168.2.6	34.149.100.209
Nov 25, 2024 20:11:27.591065884 CET	443	49786	34.149.100.209	192.168.2.6
Nov 25, 2024 20:11:27.646011114 CET	443	49778	34.120.208.123	192.168.2.6
Nov 25, 2024 20:11:27.651352882 CET	443	49778	34.120.208.123	192.168.2.6
Nov 25, 2024 20:11:27.662740946 CET	49778	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:11:27.667463064 CET	49778	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:11:27.667471886 CET	443	49778	34.120.208.123	192.168.2.6
Nov 25, 2024 20:11:27.667562962 CET	49778	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:11:27.667725086 CET	443	49778	34.120.208.123	192.168.2.6
Nov 25, 2024 20:11:27.671410084 CET	49778	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:11:27.681468010 CET	80	49785	34.107.221.82	192.168.2.6
Nov 25, 2024 20:11:27.701438904 CET	443	49779	35.244.181.201	192.168.2.6
Nov 25, 2024 20:11:27.702986002 CET	49779	443	192.168.2.6	35.244.181.201
Nov 25, 2024 20:11:27.708988905 CET	49779	443	192.168.2.6	35.244.181.201
Nov 25, 2024 20:11:27.709007025 CET	443	49779	35.244.181.201	192.168.2.6
Nov 25, 2024 20:11:27.709244967 CET	443	49779	35.244.181.201	192.168.2.6
Nov 25, 2024 20:11:27.711391926 CET	49779	443	192.168.2.6	35.244.181.201
Nov 25, 2024 20:11:27.711462975 CET	49779	443	192.168.2.6	35.244.181.201
Nov 25, 2024 20:11:27.711539984 CET	443	49779	35.244.181.201	192.168.2.6
Nov 25, 2024 20:11:27.716855049 CET	49779	443	192.168.2.6	35.244.181.201
Nov 25, 2024 20:11:27.716882944 CET	49779	443	192.168.2.6	35.244.181.201
Nov 25, 2024 20:11:27.758018017 CET	80	49747	34.107.221.82	192.168.2.6
Nov 25, 2024 20:11:27.811427116 CET	49747	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:11:27.833779097 CET	49785	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:11:27.839608908 CET	49787	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:11:27.879009008 CET	49747	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:11:27.960052967 CET	80	49787	34.107.221.82	192.168.2.6
Nov 25, 2024 20:11:27.960185051 CET	49787	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:11:27.960575104 CET	49787	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:11:27.998047113 CET	80	49785	34.107.221.82	192.168.2.6
Nov 25, 2024 20:11:28.000725985 CET	80	49747	34.107.221.82	192.168.2.6
Nov 25, 2024 20:11:28.027570963 CET	49788	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:11:28.027610064 CET	443	49788	34.120.208.123	192.168.2.6
Nov 25, 2024 20:11:28.030344009 CET	49788	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:11:28.032438993 CET	49788	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:11:28.032450914 CET	443	49788	34.120.208.123	192.168.2.6
Nov 25, 2024 20:11:28.081636906 CET	80	49787	34.107.221.82	192.168.2.6
Nov 25, 2024 20:11:28.196224928 CET	80	49747	34.107.221.82	192.168.2.6
Nov 25, 2024 20:11:28.250277996 CET	49747	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:11:28.453485966 CET	49787	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:11:28.575304985 CET	80	49785	34.107.221.82	192.168.2.6
Nov 25, 2024 20:11:28.575640917 CET	49785	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:11:28.672555923 CET	49789	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:11:28.696074963 CET	80	49787	34.107.221.82	192.168.2.6
Nov 25, 2024 20:11:28.822575092 CET	80	49789	34.107.221.82	192.168.2.6
Nov 25, 2024 20:11:28.822659969 CET	49789	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:11:28.857156992 CET	443	49786	34.149.100.209	192.168.2.6
Nov 25, 2024 20:11:28.867655039 CET	49786	443	192.168.2.6	34.149.100.209
Nov 25, 2024 20:11:28.888746023 CET	80	49787	34.107.221.82	192.168.2.6
Nov 25, 2024 20:11:28.888842106 CET	49787	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:11:29.253602028 CET	443	49788	34.120.208.123	192.168.2.6
Nov 25, 2024 20:11:29.253686905 CET	49788	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:11:29.698679924 CET	49789	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:11:29.705560923 CET	49786	443	192.168.2.6	34.149.100.209
Nov 25, 2024 20:11:29.705579042 CET	443	49786	34.149.100.209	192.168.2.6
Nov 25, 2024 20:11:29.705650091 CET	49786	443	192.168.2.6	34.149.100.209
Nov 25, 2024 20:11:29.705756903 CET	49788	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:11:29.705776930 CET	443	49788	34.120.208.123	192.168.2.6
Nov 25, 2024 20:11:29.705833912 CET	49788	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:11:29.705923080 CET	443	49786	34.149.100.209	192.168.2.6
Nov 25, 2024 20:11:29.706068993 CET	49786	443	192.168.2.6	34.149.100.209
Nov 25, 2024 20:11:29.706150055 CET	443	49788	34.120.208.123	192.168.2.6
Nov 25, 2024 20:11:29.706219912 CET	49788	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:11:29.820283890 CET	80	49789	34.107.221.82	192.168.2.6
Nov 25, 2024 20:11:30.023137093 CET	80	49789	34.107.221.82	192.168.2.6
Nov 25, 2024 20:11:30.071186066 CET	49789	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:11:31.043684006 CET	49747	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:11:31.163647890 CET	80	49747	34.107.221.82	192.168.2.6
Nov 25, 2024 20:11:31.358484030 CET	80	49747	34.107.221.82	192.168.2.6
Nov 25, 2024 20:11:31.406210899 CET	49747	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:11:32.091950893 CET	49800	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:11:32.091965914 CET	443	49800	34.120.208.123	192.168.2.6
Nov 25, 2024 20:11:32.092633963 CET	49800	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:11:32.094208956 CET	49800	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:11:32.094223976 CET	443	49800	34.120.208.123	192.168.2.6
Nov 25, 2024 20:11:32.094368935 CET	49789	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:11:32.215693951 CET	80	49789	34.107.221.82	192.168.2.6
Nov 25, 2024 20:11:32.340924978 CET	49801	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:11:32.341001034 CET	443	49801	34.120.208.123	192.168.2.6
Nov 25, 2024 20:11:32.345307112 CET	49801	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:11:32.345446110 CET	49801	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:11:32.345457077 CET	443	49801	34.120.208.123	192.168.2.6
Nov 25, 2024 20:11:32.347534895 CET	49802	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:11:32.347567081 CET	443	49802	34.120.208.123	192.168.2.6
Nov 25, 2024 20:11:32.351907015 CET	49802	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:11:32.352066994 CET	49802	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:11:32.352080107 CET	443	49802	34.120.208.123	192.168.2.6
Nov 25, 2024 20:11:32.410547018 CET	80	49789	34.107.221.82	192.168.2.6
Nov 25, 2024 20:11:32.462513924 CET	49789	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:11:32.610408068 CET	49803	443	192.168.2.6	34.107.243.93
Nov 25, 2024 20:11:32.610434055 CET	443	49803	34.107.243.93	192.168.2.6
Nov 25, 2024 20:11:32.610852003 CET	49803	443	192.168.2.6	34.107.243.93
Nov 25, 2024 20:11:32.612317085 CET	49803	443	192.168.2.6	34.107.243.93
Nov 25, 2024 20:11:32.612330914 CET	443	49803	34.107.243.93	192.168.2.6
Nov 25, 2024 20:11:33.361368895 CET	443	49800	34.120.208.123	192.168.2.6
Nov 25, 2024 20:11:33.361463070 CET	49800	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:11:33.467453003 CET	49800	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:11:33.467525959 CET	443	49800	34.120.208.123	192.168.2.6
Nov 25, 2024 20:11:33.467557907 CET	49800	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:11:33.468132019 CET	443	49800	34.120.208.123	192.168.2.6
Nov 25, 2024 20:11:33.468214989 CET	49800	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:11:33.563057899 CET	443	49801	34.120.208.123	192.168.2.6
Nov 25, 2024 20:11:33.563167095 CET	49801	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:11:33.608091116 CET	49801	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:11:33.608123064 CET	443	49801	34.120.208.123	192.168.2.6
Nov 25, 2024 20:11:33.608967066 CET	443	49801	34.120.208.123	192.168.2.6
Nov 25, 2024 20:11:33.615353107 CET	443	49802	34.120.208.123	192.168.2.6
Nov 25, 2024 20:11:33.615423918 CET	49802	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:11:33.618087053 CET	49802	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:11:33.618094921 CET	443	49802	34.120.208.123	192.168.2.6
Nov 25, 2024 20:11:33.618297100 CET	443	49802	34.120.208.123	192.168.2.6
Nov 25, 2024 20:11:33.620950937 CET	49801	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:11:33.621042967 CET	49801	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:11:33.621124983 CET	49802	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:11:33.621248960 CET	443	49802	34.120.208.123	192.168.2.6
Nov 25, 2024 20:11:33.621403933 CET	443	49801	34.120.208.123	192.168.2.6
Nov 25, 2024 20:11:33.622082949 CET	49801	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:11:33.622102976 CET	49802	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:11:33.736845970 CET	49802	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:11:33.736852884 CET	443	49802	34.120.208.123	192.168.2.6
Nov 25, 2024 20:11:33.738220930 CET	49747	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:11:33.858428001 CET	80	49747	34.107.221.82	192.168.2.6
Nov 25, 2024 20:11:33.964164019 CET	443	49803	34.107.243.93	192.168.2.6
Nov 25, 2024 20:11:33.964237928 CET	49803	443	192.168.2.6	34.107.243.93
Nov 25, 2024 20:11:33.969299078 CET	49803	443	192.168.2.6	34.107.243.93
Nov 25, 2024 20:11:33.969304085 CET	443	49803	34.107.243.93	192.168.2.6
Nov 25, 2024 20:11:33.969377995 CET	49803	443	192.168.2.6	34.107.243.93
Nov 25, 2024 20:11:33.969458103 CET	443	49803	34.107.243.93	192.168.2.6
Nov 25, 2024 20:11:33.969855070 CET	49803	443	192.168.2.6	34.107.243.93
Nov 25, 2024 20:11:34.053595066 CET	80	49747	34.107.221.82	192.168.2.6
Nov 25, 2024 20:11:34.056910038 CET	49789	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:11:34.097680092 CET	49747	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:11:34.176843882 CET	80	49789	34.107.221.82	192.168.2.6
Nov 25, 2024 20:11:34.371278048 CET	80	49789	34.107.221.82	192.168.2.6
Nov 25, 2024 20:11:34.414858103 CET	49789	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:11:35.668550968 CET	49747	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:11:35.788593054 CET	80	49747	34.107.221.82	192.168.2.6
Nov 25, 2024 20:11:35.983578920 CET	80	49747	34.107.221.82	192.168.2.6
Nov 25, 2024 20:11:35.986548901 CET	49789	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:11:36.035173893 CET	49747	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:11:36.109761000 CET	80	49789	34.107.221.82	192.168.2.6
Nov 25, 2024 20:11:36.304864883 CET	80	49789	34.107.221.82	192.168.2.6
Nov 25, 2024 20:11:36.351609945 CET	49789	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:11:42.137284994 CET	49827	443	192.168.2.6	35.244.181.201
Nov 25, 2024 20:11:42.137316942 CET	443	49827	35.244.181.201	192.168.2.6
Nov 25, 2024 20:11:42.140986919 CET	49827	443	192.168.2.6	35.244.181.201
Nov 25, 2024 20:11:42.141134977 CET	49827	443	192.168.2.6	35.244.181.201
Nov 25, 2024 20:11:42.141139030 CET	443	49827	35.244.181.201	192.168.2.6
Nov 25, 2024 20:11:42.192626953 CET	49828	443	192.168.2.6	34.149.100.209
Nov 25, 2024 20:11:42.192679882 CET	443	49828	34.149.100.209	192.168.2.6
Nov 25, 2024 20:11:42.192899942 CET	49828	443	192.168.2.6	34.149.100.209
Nov 25, 2024 20:11:42.193030119 CET	49828	443	192.168.2.6	34.149.100.209
Nov 25, 2024 20:11:42.193039894 CET	443	49828	34.149.100.209	192.168.2.6
Nov 25, 2024 20:11:42.205421925 CET	49829	443	192.168.2.6	35.190.72.216
Nov 25, 2024 20:11:42.205440044 CET	443	49829	35.190.72.216	192.168.2.6
Nov 25, 2024 20:11:42.206096888 CET	49829	443	192.168.2.6	35.190.72.216
Nov 25, 2024 20:11:42.207492113 CET	49829	443	192.168.2.6	35.190.72.216
Nov 25, 2024 20:11:42.207504034 CET	443	49829	35.190.72.216	192.168.2.6
Nov 25, 2024 20:11:42.374501944 CET	49830	443	192.168.2.6	151.101.65.91
Nov 25, 2024 20:11:42.374530077 CET	443	49830	151.101.65.91	192.168.2.6
Nov 25, 2024 20:11:42.374727964 CET	49830	443	192.168.2.6	151.101.65.91
Nov 25, 2024 20:11:42.374752045 CET	49830	443	192.168.2.6	151.101.65.91
Nov 25, 2024 20:11:42.374757051 CET	443	49830	151.101.65.91	192.168.2.6
Nov 25, 2024 20:11:42.529692888 CET	49833	443	192.168.2.6	35.201.103.21
Nov 25, 2024 20:11:42.529711008 CET	443	49833	35.201.103.21	192.168.2.6
Nov 25, 2024 20:11:42.530086040 CET	49833	443	192.168.2.6	35.201.103.21
Nov 25, 2024 20:11:42.531532049 CET	49833	443	192.168.2.6	35.201.103.21
Nov 25, 2024 20:11:42.531546116 CET	443	49833	35.201.103.21	192.168.2.6
Nov 25, 2024 20:11:43.369599104 CET	443	49827	35.244.181.201	192.168.2.6
Nov 25, 2024 20:11:43.369677067 CET	49827	443	192.168.2.6	35.244.181.201
Nov 25, 2024 20:11:43.372733116 CET	49827	443	192.168.2.6	35.244.181.201
Nov 25, 2024 20:11:43.372740030 CET	443	49827	35.244.181.201	192.168.2.6
Nov 25, 2024 20:11:43.373128891 CET	443	49827	35.244.181.201	192.168.2.6
Nov 25, 2024 20:11:43.375046015 CET	49827	443	192.168.2.6	35.244.181.201
Nov 25, 2024 20:11:43.375150919 CET	49827	443	192.168.2.6	35.244.181.201
Nov 25, 2024 20:11:43.375233889 CET	443	49827	35.244.181.201	192.168.2.6
Nov 25, 2024 20:11:43.375325918 CET	49827	443	192.168.2.6	35.244.181.201
Nov 25, 2024 20:11:43.379354000 CET	49747	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:11:43.496207952 CET	443	49828	34.149.100.209	192.168.2.6
Nov 25, 2024 20:11:43.496290922 CET	49828	443	192.168.2.6	34.149.100.209
Nov 25, 2024 20:11:43.499387980 CET	49828	443	192.168.2.6	34.149.100.209
Nov 25, 2024 20:11:43.499393940 CET	443	49828	34.149.100.209	192.168.2.6
Nov 25, 2024 20:11:43.499479055 CET	80	49747	34.107.221.82	192.168.2.6
Nov 25, 2024 20:11:43.499716043 CET	443	49828	34.149.100.209	192.168.2.6
Nov 25, 2024 20:11:43.502064943 CET	49828	443	192.168.2.6	34.149.100.209
Nov 25, 2024 20:11:43.502221107 CET	49828	443	192.168.2.6	34.149.100.209
Nov 25, 2024 20:11:43.502258062 CET	443	49828	34.149.100.209	192.168.2.6
Nov 25, 2024 20:11:43.502620935 CET	49838	443	192.168.2.6	34.149.100.209
Nov 25, 2024 20:11:43.502656937 CET	443	49838	34.149.100.209	192.168.2.6
Nov 25, 2024 20:11:43.502681017 CET	49828	443	192.168.2.6	34.149.100.209
Nov 25, 2024 20:11:43.502794027 CET	49838	443	192.168.2.6	34.149.100.209
Nov 25, 2024 20:11:43.502933979 CET	49838	443	192.168.2.6	34.149.100.209
Nov 25, 2024 20:11:43.502942085 CET	443	49838	34.149.100.209	192.168.2.6
Nov 25, 2024 20:11:43.512528896 CET	443	49829	35.190.72.216	192.168.2.6
Nov 25, 2024 20:11:43.512603045 CET	49829	443	192.168.2.6	35.190.72.216
Nov 25, 2024 20:11:43.516833067 CET	49829	443	192.168.2.6	35.190.72.216
Nov 25, 2024 20:11:43.516838074 CET	443	49829	35.190.72.216	192.168.2.6
Nov 25, 2024 20:11:43.516927958 CET	49829	443	192.168.2.6	35.190.72.216
Nov 25, 2024 20:11:43.516973972 CET	443	49829	35.190.72.216	192.168.2.6
Nov 25, 2024 20:11:43.517117023 CET	49829	443	192.168.2.6	35.190.72.216
Nov 25, 2024 20:11:43.818106890 CET	80	49747	34.107.221.82	192.168.2.6
Nov 25, 2024 20:11:43.821845055 CET	49789	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:11:43.826569080 CET	443	49833	35.201.103.21	192.168.2.6
Nov 25, 2024 20:11:43.826801062 CET	49833	443	192.168.2.6	35.201.103.21
Nov 25, 2024 20:11:43.829018116 CET	443	49830	151.101.65.91	192.168.2.6
Nov 25, 2024 20:11:43.830467939 CET	49833	443	192.168.2.6	35.201.103.21
Nov 25, 2024 20:11:43.830473900 CET	443	49833	35.201.103.21	192.168.2.6
Nov 25, 2024 20:11:43.830554962 CET	49833	443	192.168.2.6	35.201.103.21
Nov 25, 2024 20:11:43.830646038 CET	443	49833	35.201.103.21	192.168.2.6
Nov 25, 2024 20:11:43.832720041 CET	49833	443	192.168.2.6	35.201.103.21
Nov 25, 2024 20:11:43.832751989 CET	49830	443	192.168.2.6	151.101.65.91
Nov 25, 2024 20:11:43.835431099 CET	49830	443	192.168.2.6	151.101.65.91
Nov 25, 2024 20:11:43.835441113 CET	443	49830	151.101.65.91	192.168.2.6
Nov 25, 2024 20:11:43.835926056 CET	443	49830	151.101.65.91	192.168.2.6
Nov 25, 2024 20:11:43.837248087 CET	49830	443	192.168.2.6	151.101.65.91
Nov 25, 2024 20:11:43.837323904 CET	49830	443	192.168.2.6	151.101.65.91
Nov 25, 2024 20:11:43.837445974 CET	443	49830	151.101.65.91	192.168.2.6
Nov 25, 2024 20:11:43.839433908 CET	49830	443	192.168.2.6	151.101.65.91
Nov 25, 2024 20:11:43.839433908 CET	49830	443	192.168.2.6	151.101.65.91
Nov 25, 2024 20:11:43.844239950 CET	49747	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:11:43.846525908 CET	49839	443	192.168.2.6	35.244.181.201
Nov 25, 2024 20:11:43.846554995 CET	443	49839	35.244.181.201	192.168.2.6
Nov 25, 2024 20:11:43.847702026 CET	49839	443	192.168.2.6	35.244.181.201
Nov 25, 2024 20:11:43.847841978 CET	49839	443	192.168.2.6	35.244.181.201
Nov 25, 2024 20:11:43.847848892 CET	443	49839	35.244.181.201	192.168.2.6
Nov 25, 2024 20:11:43.849586964 CET	49840	443	192.168.2.6	35.244.181.201
Nov 25, 2024 20:11:43.849606037 CET	443	49840	35.244.181.201	192.168.2.6
Nov 25, 2024 20:11:43.849929094 CET	49840	443	192.168.2.6	35.244.181.201
Nov 25, 2024 20:11:43.850034952 CET	49840	443	192.168.2.6	35.244.181.201
Nov 25, 2024 20:11:43.850048065 CET	443	49840	35.244.181.201	192.168.2.6
Nov 25, 2024 20:11:43.852179050 CET	49841	443	192.168.2.6	35.244.181.201
Nov 25, 2024 20:11:43.852202892 CET	443	49841	35.244.181.201	192.168.2.6
Nov 25, 2024 20:11:43.852499008 CET	49841	443	192.168.2.6	35.244.181.201
Nov 25, 2024 20:11:43.852581978 CET	49841	443	192.168.2.6	35.244.181.201
Nov 25, 2024 20:11:43.852591038 CET	443	49841	35.244.181.201	192.168.2.6
Nov 25, 2024 20:11:43.854064941 CET	49842	443	192.168.2.6	34.149.100.209
Nov 25, 2024 20:11:43.854090929 CET	443	49842	34.149.100.209	192.168.2.6
Nov 25, 2024 20:11:43.854202986 CET	49842	443	192.168.2.6	34.149.100.209
Nov 25, 2024 20:11:43.854300022 CET	49842	443	192.168.2.6	34.149.100.209
Nov 25, 2024 20:11:43.854312897 CET	443	49842	34.149.100.209	192.168.2.6
Nov 25, 2024 20:11:43.941834927 CET	80	49789	34.107.221.82	192.168.2.6
Nov 25, 2024 20:11:43.964193106 CET	80	49747	34.107.221.82	192.168.2.6
Nov 25, 2024 20:11:44.136914968 CET	80	49789	34.107.221.82	192.168.2.6
Nov 25, 2024 20:11:44.159435987 CET	80	49747	34.107.221.82	192.168.2.6
Nov 25, 2024 20:11:44.165826082 CET	49789	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:11:44.202754021 CET	49747	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:11:44.285748005 CET	80	49789	34.107.221.82	192.168.2.6
Nov 25, 2024 20:11:44.423676014 CET	49843	443	192.168.2.6	34.107.243.93
Nov 25, 2024 20:11:44.423707962 CET	443	49843	34.107.243.93	192.168.2.6
Nov 25, 2024 20:11:44.424140930 CET	49843	443	192.168.2.6	34.107.243.93
Nov 25, 2024 20:11:44.425507069 CET	49843	443	192.168.2.6	34.107.243.93
Nov 25, 2024 20:11:44.425518990 CET	443	49843	34.107.243.93	192.168.2.6
Nov 25, 2024 20:11:44.481745958 CET	80	49789	34.107.221.82	192.168.2.6
Nov 25, 2024 20:11:44.539819956 CET	49789	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:11:45.001627922 CET	443	49838	34.149.100.209	192.168.2.6
Nov 25, 2024 20:11:45.001713991 CET	49838	443	192.168.2.6	34.149.100.209
Nov 25, 2024 20:11:45.004632950 CET	49838	443	192.168.2.6	34.149.100.209
Nov 25, 2024 20:11:45.004641056 CET	443	49838	34.149.100.209	192.168.2.6
Nov 25, 2024 20:11:45.004910946 CET	443	49838	34.149.100.209	192.168.2.6
Nov 25, 2024 20:11:45.007102966 CET	49838	443	192.168.2.6	34.149.100.209
Nov 25, 2024 20:11:45.007201910 CET	49838	443	192.168.2.6	34.149.100.209
Nov 25, 2024 20:11:45.007268906 CET	443	49838	34.149.100.209	192.168.2.6
Nov 25, 2024 20:11:45.007472038 CET	49838	443	192.168.2.6	34.149.100.209
Nov 25, 2024 20:11:45.012388945 CET	49747	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:11:45.068624973 CET	443	49841	35.244.181.201	192.168.2.6
Nov 25, 2024 20:11:45.068701982 CET	49841	443	192.168.2.6	35.244.181.201
Nov 25, 2024 20:11:45.071369886 CET	49841	443	192.168.2.6	35.244.181.201
Nov 25, 2024 20:11:45.071376085 CET	443	49841	35.244.181.201	192.168.2.6
Nov 25, 2024 20:11:45.071728945 CET	443	49841	35.244.181.201	192.168.2.6
Nov 25, 2024 20:11:45.074366093 CET	49841	443	192.168.2.6	35.244.181.201
Nov 25, 2024 20:11:45.074462891 CET	49841	443	192.168.2.6	35.244.181.201
Nov 25, 2024 20:11:45.074558020 CET	443	49841	35.244.181.201	192.168.2.6
Nov 25, 2024 20:11:45.074613094 CET	49841	443	192.168.2.6	35.244.181.201
Nov 25, 2024 20:11:45.105345011 CET	443	49839	35.244.181.201	192.168.2.6
Nov 25, 2024 20:11:45.105475903 CET	49839	443	192.168.2.6	35.244.181.201
Nov 25, 2024 20:11:45.107981920 CET	49839	443	192.168.2.6	35.244.181.201
Nov 25, 2024 20:11:45.107991934 CET	443	49839	35.244.181.201	192.168.2.6
Nov 25, 2024 20:11:45.108213902 CET	443	49839	35.244.181.201	192.168.2.6
Nov 25, 2024 20:11:45.110726118 CET	49839	443	192.168.2.6	35.244.181.201
Nov 25, 2024 20:11:45.110819101 CET	49839	443	192.168.2.6	35.244.181.201
Nov 25, 2024 20:11:45.110852003 CET	443	49839	35.244.181.201	192.168.2.6
Nov 25, 2024 20:11:45.110970974 CET	49839	443	192.168.2.6	35.244.181.201
Nov 25, 2024 20:11:45.132975101 CET	80	49747	34.107.221.82	192.168.2.6
Nov 25, 2024 20:11:45.160558939 CET	443	49840	35.244.181.201	192.168.2.6
Nov 25, 2024 20:11:45.160644054 CET	49840	443	192.168.2.6	35.244.181.201
Nov 25, 2024 20:11:45.160717010 CET	443	49842	34.149.100.209	192.168.2.6
Nov 25, 2024 20:11:45.160785913 CET	49842	443	192.168.2.6	34.149.100.209
Nov 25, 2024 20:11:45.163508892 CET	49840	443	192.168.2.6	35.244.181.201
Nov 25, 2024 20:11:45.163517952 CET	443	49840	35.244.181.201	192.168.2.6
Nov 25, 2024 20:11:45.163794994 CET	443	49840	35.244.181.201	192.168.2.6
Nov 25, 2024 20:11:45.166744947 CET	49842	443	192.168.2.6	34.149.100.209
Nov 25, 2024 20:11:45.166755915 CET	443	49842	34.149.100.209	192.168.2.6
Nov 25, 2024 20:11:45.167042017 CET	443	49842	34.149.100.209	192.168.2.6
Nov 25, 2024 20:11:45.169790030 CET	49840	443	192.168.2.6	35.244.181.201
Nov 25, 2024 20:11:45.169888973 CET	49840	443	192.168.2.6	35.244.181.201
Nov 25, 2024 20:11:45.169929028 CET	443	49840	35.244.181.201	192.168.2.6
Nov 25, 2024 20:11:45.170407057 CET	49842	443	192.168.2.6	34.149.100.209
Nov 25, 2024 20:11:45.170460939 CET	49842	443	192.168.2.6	34.149.100.209
Nov 25, 2024 20:11:45.170553923 CET	443	49842	34.149.100.209	192.168.2.6
Nov 25, 2024 20:11:45.171240091 CET	49840	443	192.168.2.6	35.244.181.201
Nov 25, 2024 20:11:45.171257019 CET	49842	443	192.168.2.6	34.149.100.209
Nov 25, 2024 20:11:45.331362009 CET	80	49747	34.107.221.82	192.168.2.6
Nov 25, 2024 20:11:45.334337950 CET	49789	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:11:45.374986887 CET	49747	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:11:45.454638958 CET	80	49789	34.107.221.82	192.168.2.6
Nov 25, 2024 20:11:45.649571896 CET	80	49789	34.107.221.82	192.168.2.6
Nov 25, 2024 20:11:45.691493034 CET	49789	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:11:45.703618050 CET	443	49843	34.107.243.93	192.168.2.6
Nov 25, 2024 20:11:45.703696966 CET	49843	443	192.168.2.6	34.107.243.93
Nov 25, 2024 20:11:45.707259893 CET	49843	443	192.168.2.6	34.107.243.93
Nov 25, 2024 20:11:45.707272053 CET	443	49843	34.107.243.93	192.168.2.6
Nov 25, 2024 20:11:45.707356930 CET	49843	443	192.168.2.6	34.107.243.93
Nov 25, 2024 20:11:45.707684040 CET	443	49843	34.107.243.93	192.168.2.6
Nov 25, 2024 20:11:45.707734108 CET	49843	443	192.168.2.6	34.107.243.93
Nov 25, 2024 20:11:45.710287094 CET	49747	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:11:45.832638979 CET	80	49747	34.107.221.82	192.168.2.6
Nov 25, 2024 20:11:46.030575991 CET	80	49747	34.107.221.82	192.168.2.6
Nov 25, 2024 20:11:46.033477068 CET	49789	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:11:46.077042103 CET	49747	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:11:46.153852940 CET	80	49789	34.107.221.82	192.168.2.6
Nov 25, 2024 20:11:46.352107048 CET	80	49789	34.107.221.82	192.168.2.6
Nov 25, 2024 20:11:46.393516064 CET	49789	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:11:56.037072897 CET	49747	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:11:56.161168098 CET	80	49747	34.107.221.82	192.168.2.6
Nov 25, 2024 20:11:56.353569984 CET	49789	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:11:56.475502014 CET	80	49789	34.107.221.82	192.168.2.6
Nov 25, 2024 20:12:05.977643967 CET	49895	443	192.168.2.6	34.107.243.93
Nov 25, 2024 20:12:05.977658033 CET	443	49895	34.107.243.93	192.168.2.6
Nov 25, 2024 20:12:05.978045940 CET	49895	443	192.168.2.6	34.107.243.93
Nov 25, 2024 20:12:05.979582071 CET	49895	443	192.168.2.6	34.107.243.93
Nov 25, 2024 20:12:05.979594946 CET	443	49895	34.107.243.93	192.168.2.6
Nov 25, 2024 20:12:06.166320086 CET	49747	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:12:06.286197901 CET	80	49747	34.107.221.82	192.168.2.6
Nov 25, 2024 20:12:06.482831001 CET	49789	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:12:06.609627962 CET	80	49789	34.107.221.82	192.168.2.6
Nov 25, 2024 20:12:07.237056017 CET	443	49895	34.107.243.93	192.168.2.6
Nov 25, 2024 20:12:07.237143040 CET	49895	443	192.168.2.6	34.107.243.93
Nov 25, 2024 20:12:07.241718054 CET	49895	443	192.168.2.6	34.107.243.93
Nov 25, 2024 20:12:07.241724968 CET	443	49895	34.107.243.93	192.168.2.6
Nov 25, 2024 20:12:07.241825104 CET	49895	443	192.168.2.6	34.107.243.93
Nov 25, 2024 20:12:07.241858006 CET	443	49895	34.107.243.93	192.168.2.6
Nov 25, 2024 20:12:07.242079020 CET	49895	443	192.168.2.6	34.107.243.93
Nov 25, 2024 20:12:07.243918896 CET	49747	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:12:07.367355108 CET	80	49747	34.107.221.82	192.168.2.6
Nov 25, 2024 20:12:07.564505100 CET	80	49747	34.107.221.82	192.168.2.6
Nov 25, 2024 20:12:07.567610025 CET	49789	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:12:07.608131886 CET	49747	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:12:07.689976931 CET	80	49789	34.107.221.82	192.168.2.6
Nov 25, 2024 20:12:07.884624004 CET	80	49789	34.107.221.82	192.168.2.6
Nov 25, 2024 20:12:07.940289021 CET	49789	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:12:12.106472969 CET	49908	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:12:12.106520891 CET	443	49908	34.120.208.123	192.168.2.6
Nov 25, 2024 20:12:12.106628895 CET	49909	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:12:12.106664896 CET	443	49909	34.120.208.123	192.168.2.6
Nov 25, 2024 20:12:12.106749058 CET	49910	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:12:12.106760979 CET	443	49910	34.120.208.123	192.168.2.6
Nov 25, 2024 20:12:12.106867075 CET	49911	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:12:12.106873989 CET	443	49911	34.120.208.123	192.168.2.6
Nov 25, 2024 20:12:12.106990099 CET	49912	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:12:12.107029915 CET	443	49912	34.120.208.123	192.168.2.6
Nov 25, 2024 20:12:12.107120037 CET	49913	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:12:12.107155085 CET	443	49913	34.120.208.123	192.168.2.6
Nov 25, 2024 20:12:12.107842922 CET	49908	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:12:12.107862949 CET	49909	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:12:12.107862949 CET	49911	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:12:12.107871056 CET	49910	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:12:12.107880116 CET	49913	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:12:12.107882023 CET	49912	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:12:12.108148098 CET	49908	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:12:12.108160019 CET	443	49908	34.120.208.123	192.168.2.6
Nov 25, 2024 20:12:12.108263016 CET	49913	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:12:12.108275890 CET	443	49913	34.120.208.123	192.168.2.6
Nov 25, 2024 20:12:12.108335018 CET	49912	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:12:12.108346939 CET	443	49912	34.120.208.123	192.168.2.6
Nov 25, 2024 20:12:12.108403921 CET	49911	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:12:12.108417034 CET	443	49911	34.120.208.123	192.168.2.6
Nov 25, 2024 20:12:12.108465910 CET	49910	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:12:12.108474016 CET	443	49910	34.120.208.123	192.168.2.6
Nov 25, 2024 20:12:12.108549118 CET	49909	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:12:12.108565092 CET	443	49909	34.120.208.123	192.168.2.6
Nov 25, 2024 20:12:13.339370012 CET	443	49913	34.120.208.123	192.168.2.6
Nov 25, 2024 20:12:13.339380980 CET	443	49911	34.120.208.123	192.168.2.6
Nov 25, 2024 20:12:13.339498997 CET	49913	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:12:13.339502096 CET	49911	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:12:13.342863083 CET	49913	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:12:13.342868090 CET	443	49913	34.120.208.123	192.168.2.6
Nov 25, 2024 20:12:13.343123913 CET	443	49913	34.120.208.123	192.168.2.6
Nov 25, 2024 20:12:13.345304012 CET	49911	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:12:13.345315933 CET	443	49911	34.120.208.123	192.168.2.6
Nov 25, 2024 20:12:13.345541954 CET	443	49911	34.120.208.123	192.168.2.6
Nov 25, 2024 20:12:13.348535061 CET	49911	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:12:13.348654032 CET	49911	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:12:13.348675013 CET	443	49911	34.120.208.123	192.168.2.6
Nov 25, 2024 20:12:13.349071980 CET	49917	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:12:13.349102974 CET	443	49917	34.120.208.123	192.168.2.6
Nov 25, 2024 20:12:13.349220037 CET	49913	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:12:13.349272966 CET	49913	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:12:13.349356890 CET	443	49913	34.120.208.123	192.168.2.6
Nov 25, 2024 20:12:13.349647045 CET	49918	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:12:13.349675894 CET	443	49918	34.120.208.123	192.168.2.6
Nov 25, 2024 20:12:13.349711895 CET	49911	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:12:13.349735975 CET	49917	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:12:13.349739075 CET	49913	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:12:13.349874020 CET	49917	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:12:13.349886894 CET	443	49917	34.120.208.123	192.168.2.6
Nov 25, 2024 20:12:13.349948883 CET	49918	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:12:13.350075960 CET	49918	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:12:13.350086927 CET	443	49918	34.120.208.123	192.168.2.6
Nov 25, 2024 20:12:13.352715015 CET	49747	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:12:13.385361910 CET	443	49910	34.120.208.123	192.168.2.6
Nov 25, 2024 20:12:13.385458946 CET	49910	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:12:13.387207985 CET	443	49909	34.120.208.123	192.168.2.6
Nov 25, 2024 20:12:13.387291908 CET	49909	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:12:13.387864113 CET	443	49908	34.120.208.123	192.168.2.6
Nov 25, 2024 20:12:13.387933016 CET	49908	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:12:13.388803005 CET	49910	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:12:13.388812065 CET	443	49910	34.120.208.123	192.168.2.6
Nov 25, 2024 20:12:13.389143944 CET	443	49910	34.120.208.123	192.168.2.6
Nov 25, 2024 20:12:13.392030954 CET	49908	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:12:13.392036915 CET	443	49908	34.120.208.123	192.168.2.6
Nov 25, 2024 20:12:13.392281055 CET	443	49908	34.120.208.123	192.168.2.6
Nov 25, 2024 20:12:13.394526958 CET	49909	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:12:13.394536972 CET	443	49909	34.120.208.123	192.168.2.6
Nov 25, 2024 20:12:13.394799948 CET	443	49909	34.120.208.123	192.168.2.6
Nov 25, 2024 20:12:13.398406982 CET	49910	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:12:13.398528099 CET	49910	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:12:13.398617983 CET	443	49910	34.120.208.123	192.168.2.6
Nov 25, 2024 20:12:13.398783922 CET	49908	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:12:13.398837090 CET	49908	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:12:13.398942947 CET	443	49908	34.120.208.123	192.168.2.6
Nov 25, 2024 20:12:13.399450064 CET	49910	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:12:13.399468899 CET	49908	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:12:13.399468899 CET	49909	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:12:13.399586916 CET	49909	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:12:13.399629116 CET	443	49909	34.120.208.123	192.168.2.6
Nov 25, 2024 20:12:13.399713993 CET	49909	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:12:13.432197094 CET	443	49912	34.120.208.123	192.168.2.6
Nov 25, 2024 20:12:13.432554960 CET	49912	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:12:13.435698986 CET	49912	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:12:13.435709000 CET	443	49912	34.120.208.123	192.168.2.6
Nov 25, 2024 20:12:13.435951948 CET	443	49912	34.120.208.123	192.168.2.6
Nov 25, 2024 20:12:13.438402891 CET	49912	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:12:13.438524008 CET	49912	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:12:13.438549995 CET	443	49912	34.120.208.123	192.168.2.6
Nov 25, 2024 20:12:13.438684940 CET	49912	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:12:13.475975037 CET	80	49747	34.107.221.82	192.168.2.6
Nov 25, 2024 20:12:13.671134949 CET	80	49747	34.107.221.82	192.168.2.6
Nov 25, 2024 20:12:13.674455881 CET	49789	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:12:13.725697994 CET	49747	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:12:13.794457912 CET	80	49789	34.107.221.82	192.168.2.6
Nov 25, 2024 20:12:13.988987923 CET	80	49789	34.107.221.82	192.168.2.6
Nov 25, 2024 20:12:14.042196035 CET	49789	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:12:14.570240021 CET	443	49917	34.120.208.123	192.168.2.6
Nov 25, 2024 20:12:14.570334911 CET	49917	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:12:14.573143959 CET	49917	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:12:14.573157072 CET	443	49917	34.120.208.123	192.168.2.6
Nov 25, 2024 20:12:14.573391914 CET	443	49917	34.120.208.123	192.168.2.6
Nov 25, 2024 20:12:14.575489044 CET	49917	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:12:14.575618982 CET	49917	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:12:14.575683117 CET	443	49917	34.120.208.123	192.168.2.6
Nov 25, 2024 20:12:14.576438904 CET	49917	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:12:14.578098059 CET	49747	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:12:14.612265110 CET	443	49918	34.120.208.123	192.168.2.6
Nov 25, 2024 20:12:14.612477064 CET	49918	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:12:14.615331888 CET	49918	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:12:14.615339994 CET	443	49918	34.120.208.123	192.168.2.6
Nov 25, 2024 20:12:14.615575075 CET	443	49918	34.120.208.123	192.168.2.6
Nov 25, 2024 20:12:14.617803097 CET	49918	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:12:14.617901087 CET	49918	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:12:14.617924929 CET	443	49918	34.120.208.123	192.168.2.6
Nov 25, 2024 20:12:14.618655920 CET	49918	443	192.168.2.6	34.120.208.123
Nov 25, 2024 20:12:14.700308084 CET	80	49747	34.107.221.82	192.168.2.6
Nov 25, 2024 20:12:14.896189928 CET	80	49747	34.107.221.82	192.168.2.6
Nov 25, 2024 20:12:14.905837059 CET	49789	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:12:14.950738907 CET	49747	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:12:15.030690908 CET	80	49789	34.107.221.82	192.168.2.6
Nov 25, 2024 20:12:15.227145910 CET	80	49789	34.107.221.82	192.168.2.6
Nov 25, 2024 20:12:15.282877922 CET	49789	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:12:24.910619020 CET	49747	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:12:25.031269073 CET	80	49747	34.107.221.82	192.168.2.6
Nov 25, 2024 20:12:25.249253035 CET	49789	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:12:25.369144917 CET	80	49789	34.107.221.82	192.168.2.6
Nov 25, 2024 20:12:35.039727926 CET	49747	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:12:35.164819002 CET	80	49747	34.107.221.82	192.168.2.6
Nov 25, 2024 20:12:35.378377914 CET	49789	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:12:35.498270035 CET	80	49789	34.107.221.82	192.168.2.6
Nov 25, 2024 20:12:45.169047117 CET	49747	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:12:45.289242029 CET	80	49747	34.107.221.82	192.168.2.6
Nov 25, 2024 20:12:45.507707119 CET	49789	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:12:45.633238077 CET	80	49789	34.107.221.82	192.168.2.6
Nov 25, 2024 20:12:47.923027992 CET	49994	443	192.168.2.6	34.107.243.93
Nov 25, 2024 20:12:47.923069954 CET	443	49994	34.107.243.93	192.168.2.6
Nov 25, 2024 20:12:47.923415899 CET	49994	443	192.168.2.6	34.107.243.93
Nov 25, 2024 20:12:47.924882889 CET	49994	443	192.168.2.6	34.107.243.93
Nov 25, 2024 20:12:47.924896955 CET	443	49994	34.107.243.93	192.168.2.6
Nov 25, 2024 20:12:49.183196068 CET	443	49994	34.107.243.93	192.168.2.6
Nov 25, 2024 20:12:49.183279991 CET	49994	443	192.168.2.6	34.107.243.93
Nov 25, 2024 20:12:49.189711094 CET	49994	443	192.168.2.6	34.107.243.93
Nov 25, 2024 20:12:49.189733028 CET	443	49994	34.107.243.93	192.168.2.6
Nov 25, 2024 20:12:49.189817905 CET	49994	443	192.168.2.6	34.107.243.93
Nov 25, 2024 20:12:49.189889908 CET	443	49994	34.107.243.93	192.168.2.6
Nov 25, 2024 20:12:49.190042019 CET	49994	443	192.168.2.6	34.107.243.93
Nov 25, 2024 20:12:49.192725897 CET	49747	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:12:49.316518068 CET	80	49747	34.107.221.82	192.168.2.6
Nov 25, 2024 20:12:49.511795044 CET	80	49747	34.107.221.82	192.168.2.6
Nov 25, 2024 20:12:49.515074015 CET	49789	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:12:49.562987089 CET	49747	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:12:49.636301041 CET	80	49789	34.107.221.82	192.168.2.6
Nov 25, 2024 20:12:49.831964970 CET	80	49789	34.107.221.82	192.168.2.6
Nov 25, 2024 20:12:49.882648945 CET	49789	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:12:59.526127100 CET	49747	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:12:59.647505045 CET	80	49747	34.107.221.82	192.168.2.6
Nov 25, 2024 20:12:59.850815058 CET	49789	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:12:59.970824003 CET	80	49789	34.107.221.82	192.168.2.6
Nov 25, 2024 20:13:09.655770063 CET	49747	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:13:09.781466007 CET	80	49747	34.107.221.82	192.168.2.6
Nov 25, 2024 20:13:09.976934910 CET	49789	80	192.168.2.6	34.107.221.82
Nov 25, 2024 20:13:10.100548983 CET	80	49789	34.107.221.82	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2024 20:11:12.945588112 CET	55952	53	192.168.2.6	1.1.1.1
Nov 25, 2024 20:11:13.096064091 CET	53	55952	1.1.1.1	192.168.2.6
Nov 25, 2024 20:11:13.175328970 CET	63819	53	192.168.2.6	1.1.1.1
Nov 25, 2024 20:11:13.316704988 CET	53	63819	1.1.1.1	192.168.2.6
Nov 25, 2024 20:11:14.182111025 CET	59377	53	192.168.2.6	1.1.1.1
Nov 25, 2024 20:11:14.182383060 CET	49915	53	192.168.2.6	1.1.1.1
Nov 25, 2024 20:11:14.319787979 CET	53	59377	1.1.1.1	192.168.2.6
Nov 25, 2024 20:11:14.320921898 CET	53957	53	192.168.2.6	1.1.1.1
Nov 25, 2024 20:11:14.323993921 CET	50133	53	192.168.2.6	1.1.1.1
Nov 25, 2024 20:11:14.461162090 CET	53	53957	1.1.1.1	192.168.2.6
Nov 25, 2024 20:11:14.461703062 CET	51902	53	192.168.2.6	1.1.1.1
Nov 25, 2024 20:11:14.465847015 CET	53	50133	1.1.1.1	192.168.2.6
Nov 25, 2024 20:11:14.466701984 CET	57010	53	192.168.2.6	1.1.1.1
Nov 25, 2024 20:11:14.476118088 CET	52054	53	192.168.2.6	1.1.1.1
Nov 25, 2024 20:11:14.492872000 CET	58787	53	192.168.2.6	1.1.1.1
Nov 25, 2024 20:11:14.600034952 CET	53	51902	1.1.1.1	192.168.2.6
Nov 25, 2024 20:11:14.606195927 CET	53	57010	1.1.1.1	192.168.2.6
Nov 25, 2024 20:11:14.614473104 CET	53	52054	1.1.1.1	192.168.2.6
Nov 25, 2024 20:11:14.630419016 CET	53	58787	1.1.1.1	192.168.2.6
Nov 25, 2024 20:11:15.097390890 CET	53228	53	192.168.2.6	1.1.1.1
Nov 25, 2024 20:11:15.097892046 CET	53963	53	192.168.2.6	1.1.1.1
Nov 25, 2024 20:11:15.098166943 CET	56094	53	192.168.2.6	1.1.1.1
Nov 25, 2024 20:11:15.248919010 CET	53	53228	1.1.1.1	192.168.2.6
Nov 25, 2024 20:11:15.250030994 CET	53582	53	192.168.2.6	1.1.1.1
Nov 25, 2024 20:11:15.252497911 CET	53	53963	1.1.1.1	192.168.2.6
Nov 25, 2024 20:11:15.253892899 CET	50240	53	192.168.2.6	1.1.1.1
Nov 25, 2024 20:11:15.310956955 CET	56300	53	192.168.2.6	1.1.1.1
Nov 25, 2024 20:11:15.392797947 CET	53	53582	1.1.1.1	192.168.2.6
Nov 25, 2024 20:11:15.396284103 CET	53	50240	1.1.1.1	192.168.2.6
Nov 25, 2024 20:11:15.452130079 CET	53	56300	1.1.1.1	192.168.2.6
Nov 25, 2024 20:11:15.453675985 CET	62094	53	192.168.2.6	1.1.1.1
Nov 25, 2024 20:11:15.597860098 CET	53	62094	1.1.1.1	192.168.2.6
Nov 25, 2024 20:11:15.604175091 CET	50180	53	192.168.2.6	1.1.1.1
Nov 25, 2024 20:11:15.745434046 CET	53	50180	1.1.1.1	192.168.2.6
Nov 25, 2024 20:11:15.856647968 CET	58817	53	192.168.2.6	1.1.1.1
Nov 25, 2024 20:11:15.857283115 CET	63615	53	192.168.2.6	1.1.1.1
Nov 25, 2024 20:11:15.918661118 CET	49563	53	192.168.2.6	1.1.1.1
Nov 25, 2024 20:11:15.994419098 CET	53	58817	1.1.1.1	192.168.2.6
Nov 25, 2024 20:11:15.994743109 CET	53	63615	1.1.1.1	192.168.2.6
Nov 25, 2024 20:11:16.089626074 CET	56094	53	192.168.2.6	1.1.1.1
Nov 25, 2024 20:11:16.171943903 CET	63151	53	192.168.2.6	1.1.1.1
Nov 25, 2024 20:11:16.227348089 CET	53	56094	1.1.1.1	192.168.2.6
Nov 25, 2024 20:11:16.230191946 CET	58412	53	192.168.2.6	1.1.1.1
Nov 25, 2024 20:11:16.371042013 CET	53	58412	1.1.1.1	192.168.2.6
Nov 25, 2024 20:11:17.032706976 CET	53	63504	1.1.1.1	192.168.2.6
Nov 25, 2024 20:11:21.115755081 CET	50922	53	192.168.2.6	1.1.1.1
Nov 25, 2024 20:11:21.266272068 CET	53	50922	1.1.1.1	192.168.2.6
Nov 25, 2024 20:11:21.267121077 CET	58513	53	192.168.2.6	1.1.1.1
Nov 25, 2024 20:11:21.353955984 CET	62550	53	192.168.2.6	1.1.1.1
Nov 25, 2024 20:11:21.491714954 CET	53	62550	1.1.1.1	192.168.2.6
Nov 25, 2024 20:11:21.495379925 CET	62890	53	192.168.2.6	1.1.1.1
Nov 25, 2024 20:11:21.504786968 CET	53	58513	1.1.1.1	192.168.2.6
Nov 25, 2024 20:11:21.506392002 CET	52561	53	192.168.2.6	1.1.1.1
Nov 25, 2024 20:11:21.639868021 CET	53	62890	1.1.1.1	192.168.2.6
Nov 25, 2024 20:11:21.640744925 CET	49357	53	192.168.2.6	1.1.1.1
Nov 25, 2024 20:11:21.650194883 CET	53	52561	1.1.1.1	192.168.2.6
Nov 25, 2024 20:11:21.780956984 CET	53	49357	1.1.1.1	192.168.2.6
Nov 25, 2024 20:11:26.329025030 CET	59200	53	192.168.2.6	1.1.1.1
Nov 25, 2024 20:11:26.342992067 CET	59842	53	192.168.2.6	1.1.1.1
Nov 25, 2024 20:11:26.466876984 CET	53	59200	1.1.1.1	192.168.2.6
Nov 25, 2024 20:11:26.468122005 CET	62338	53	192.168.2.6	1.1.1.1
Nov 25, 2024 20:11:26.481678963 CET	53	59842	1.1.1.1	192.168.2.6
Nov 25, 2024 20:11:26.610919952 CET	53	62338	1.1.1.1	192.168.2.6
Nov 25, 2024 20:11:27.433794022 CET	62698	53	192.168.2.6	1.1.1.1
Nov 25, 2024 20:11:27.573518038 CET	53	62698	1.1.1.1	192.168.2.6
Nov 25, 2024 20:11:27.586025000 CET	50411	53	192.168.2.6	1.1.1.1
Nov 25, 2024 20:11:27.724666119 CET	53	50411	1.1.1.1	192.168.2.6
Nov 25, 2024 20:11:27.726620913 CET	58643	53	192.168.2.6	1.1.1.1
Nov 25, 2024 20:11:27.872684002 CET	53	58643	1.1.1.1	192.168.2.6
Nov 25, 2024 20:11:32.094795942 CET	51821	53	192.168.2.6	1.1.1.1
Nov 25, 2024 20:11:32.239443064 CET	53	51821	1.1.1.1	192.168.2.6
Nov 25, 2024 20:11:32.610744953 CET	57503	53	192.168.2.6	1.1.1.1
Nov 25, 2024 20:11:32.845195055 CET	53	57503	1.1.1.1	192.168.2.6
Nov 25, 2024 20:11:34.115309000 CET	49635	53	192.168.2.6	1.1.1.1
Nov 25, 2024 20:11:34.115721941 CET	52402	53	192.168.2.6	1.1.1.1
Nov 25, 2024 20:11:34.181446075 CET	57814	53	192.168.2.6	1.1.1.1
Nov 25, 2024 20:11:34.254743099 CET	53	49635	1.1.1.1	192.168.2.6
Nov 25, 2024 20:11:34.255100965 CET	53	52402	1.1.1.1	192.168.2.6
Nov 25, 2024 20:11:34.255590916 CET	62319	53	192.168.2.6	1.1.1.1
Nov 25, 2024 20:11:34.256071091 CET	56239	53	192.168.2.6	1.1.1.1
Nov 25, 2024 20:11:34.328022003 CET	53	57814	1.1.1.1	192.168.2.6
Nov 25, 2024 20:11:34.328773975 CET	54394	53	192.168.2.6	1.1.1.1
Nov 25, 2024 20:11:34.403881073 CET	53	62319	1.1.1.1	192.168.2.6
Nov 25, 2024 20:11:34.404308081 CET	53	56239	1.1.1.1	192.168.2.6
Nov 25, 2024 20:11:34.404647112 CET	53219	53	192.168.2.6	1.1.1.1
Nov 25, 2024 20:11:34.405069113 CET	49792	53	192.168.2.6	1.1.1.1
Nov 25, 2024 20:11:34.479085922 CET	53	54394	1.1.1.1	192.168.2.6
Nov 25, 2024 20:11:34.479845047 CET	59435	53	192.168.2.6	1.1.1.1
Nov 25, 2024 20:11:34.551218033 CET	53	53219	1.1.1.1	192.168.2.6
Nov 25, 2024 20:11:34.551325083 CET	53	49792	1.1.1.1	192.168.2.6
Nov 25, 2024 20:11:34.552066088 CET	59975	53	192.168.2.6	1.1.1.1
Nov 25, 2024 20:11:34.552555084 CET	63138	53	192.168.2.6	1.1.1.1
Nov 25, 2024 20:11:34.628993034 CET	53	59435	1.1.1.1	192.168.2.6
Nov 25, 2024 20:11:34.700426102 CET	53	63138	1.1.1.1	192.168.2.6
Nov 25, 2024 20:11:34.701474905 CET	53	59975	1.1.1.1	192.168.2.6
Nov 25, 2024 20:11:34.706661940 CET	63971	53	192.168.2.6	1.1.1.1
Nov 25, 2024 20:11:34.707247019 CET	59581	53	192.168.2.6	1.1.1.1
Nov 25, 2024 20:11:34.849261999 CET	53	63971	1.1.1.1	192.168.2.6
Nov 25, 2024 20:11:34.849750996 CET	53	59581	1.1.1.1	192.168.2.6
Nov 25, 2024 20:11:34.849956989 CET	50904	53	192.168.2.6	1.1.1.1
Nov 25, 2024 20:11:34.850368023 CET	64677	53	192.168.2.6	1.1.1.1
Nov 25, 2024 20:11:34.989777088 CET	53	50904	1.1.1.1	192.168.2.6
Nov 25, 2024 20:11:34.990000010 CET	53	64677	1.1.1.1	192.168.2.6
Nov 25, 2024 20:11:42.138303041 CET	52407	53	192.168.2.6	1.1.1.1
Nov 25, 2024 20:11:42.150779963 CET	57378	53	192.168.2.6	1.1.1.1
Nov 25, 2024 20:11:42.206027985 CET	64942	53	192.168.2.6	1.1.1.1
Nov 25, 2024 20:11:42.276628971 CET	53	52407	1.1.1.1	192.168.2.6
Nov 25, 2024 20:11:42.373009920 CET	53	57378	1.1.1.1	192.168.2.6
Nov 25, 2024 20:11:42.375116110 CET	64629	53	192.168.2.6	1.1.1.1
Nov 25, 2024 20:11:42.520534992 CET	53	64629	1.1.1.1	192.168.2.6
Nov 25, 2024 20:11:42.521426916 CET	52090	53	192.168.2.6	1.1.1.1
Nov 25, 2024 20:11:42.528811932 CET	53	64942	1.1.1.1	192.168.2.6
Nov 25, 2024 20:11:42.530016899 CET	53234	53	192.168.2.6	1.1.1.1
Nov 25, 2024 20:11:42.675966024 CET	53	53234	1.1.1.1	192.168.2.6
Nov 25, 2024 20:11:42.676697969 CET	57504	53	192.168.2.6	1.1.1.1
Nov 25, 2024 20:11:42.740905046 CET	53	52090	1.1.1.1	192.168.2.6
Nov 25, 2024 20:11:42.818195105 CET	53	57504	1.1.1.1	192.168.2.6
Nov 25, 2024 20:11:44.423928022 CET	63984	53	192.168.2.6	1.1.1.1
Nov 25, 2024 20:11:44.564512014 CET	53	63984	1.1.1.1	192.168.2.6
Nov 25, 2024 20:12:05.837074041 CET	62457	53	192.168.2.6	1.1.1.1
Nov 25, 2024 20:12:05.976695061 CET	53	62457	1.1.1.1	192.168.2.6
Nov 25, 2024 20:12:05.977977991 CET	54715	53	192.168.2.6	1.1.1.1
Nov 25, 2024 20:12:06.117660999 CET	53	54715	1.1.1.1	192.168.2.6
Nov 25, 2024 20:12:07.244153976 CET	54215	53	192.168.2.6	1.1.1.1
Nov 25, 2024 20:12:12.107188940 CET	59696	53	192.168.2.6	1.1.1.1
Nov 25, 2024 20:12:12.265805006 CET	53	59696	1.1.1.1	192.168.2.6
Nov 25, 2024 20:12:47.923355103 CET	62116	53	192.168.2.6	1.1.1.1
Nov 25, 2024 20:12:48.061091900 CET	53	62116	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 25, 2024 20:11:12.945588112 CET	192.168.2.6	1.1.1.1	0x8b81	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:13.175328970 CET	192.168.2.6	1.1.1.1	0xbc1b	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 25, 2024 20:11:14.182111025 CET	192.168.2.6	1.1.1.1	0x8e4f	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:14.182383060 CET	192.168.2.6	1.1.1.1	0x64f5	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:14.320921898 CET	192.168.2.6	1.1.1.1	0xf04f	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:14.323993921 CET	192.168.2.6	1.1.1.1	0x2844	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:14.461703062 CET	192.168.2.6	1.1.1.1	0x155f	Standard query (0)	youtube.com	28	IN (0x0001)	false
Nov 25, 2024 20:11:14.466701984 CET	192.168.2.6	1.1.1.1	0x1f8e	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 25, 2024 20:11:14.476118088 CET	192.168.2.6	1.1.1.1	0x86e7	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:14.492872000 CET	192.168.2.6	1.1.1.1	0x2d64	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:15.097390890 CET	192.168.2.6	1.1.1.1	0x9ee	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:15.097892046 CET	192.168.2.6	1.1.1.1	0x8e1d	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:15.098166943 CET	192.168.2.6	1.1.1.1	0xa7a7	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:15.250030994 CET	192.168.2.6	1.1.1.1	0x59b4	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 25, 2024 20:11:15.253892899 CET	192.168.2.6	1.1.1.1	0x6056	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Nov 25, 2024 20:11:15.310956955 CET	192.168.2.6	1.1.1.1	0xefc7	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:15.453675985 CET	192.168.2.6	1.1.1.1	0x6b6d	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:15.604175091 CET	192.168.2.6	1.1.1.1	0xb54b	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 25, 2024 20:11:15.856647968 CET	192.168.2.6	1.1.1.1	0x8ca4	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:15.857283115 CET	192.168.2.6	1.1.1.1	0xd4c8	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:15.918661118 CET	192.168.2.6	1.1.1.1	0x33c9	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:16.089626074 CET	192.168.2.6	1.1.1.1	0xa7a7	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:16.171943903 CET	192.168.2.6	1.1.1.1	0xd053	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:16.230191946 CET	192.168.2.6	1.1.1.1	0x934c	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 25, 2024 20:11:21.115755081 CET	192.168.2.6	1.1.1.1	0xfd71	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:21.267121077 CET	192.168.2.6	1.1.1.1	0xe70b	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:21.353955984 CET	192.168.2.6	1.1.1.1	0xeed6	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:21.495379925 CET	192.168.2.6	1.1.1.1	0xe194	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:21.506392002 CET	192.168.2.6	1.1.1.1	0x9291	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 25, 2024 20:11:21.640744925 CET	192.168.2.6	1.1.1.1	0x3ceb	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 25, 2024 20:11:26.329025030 CET	192.168.2.6	1.1.1.1	0x2596	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:26.342992067 CET	192.168.2.6	1.1.1.1	0xf978	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 25, 2024 20:11:26.468122005 CET	192.168.2.6	1.1.1.1	0xf9d7	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 25, 2024 20:11:27.433794022 CET	192.168.2.6	1.1.1.1	0x7585	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:27.586025000 CET	192.168.2.6	1.1.1.1	0xa225	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:27.726620913 CET	192.168.2.6	1.1.1.1	0x4fd8	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 25, 2024 20:11:32.094795942 CET	192.168.2.6	1.1.1.1	0x1be9	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 25, 2024 20:11:32.610744953 CET	192.168.2.6	1.1.1.1	0xe7aa	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 25, 2024 20:11:34.115309000 CET	192.168.2.6	1.1.1.1	0xbf6c	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:34.115721941 CET	192.168.2.6	1.1.1.1	0x68f2	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:34.181446075 CET	192.168.2.6	1.1.1.1	0x2faa	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:34.255590916 CET	192.168.2.6	1.1.1.1	0x6e1e	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:34.256071091 CET	192.168.2.6	1.1.1.1	0x2e4f	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:34.328773975 CET	192.168.2.6	1.1.1.1	0xdc3f	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:34.404647112 CET	192.168.2.6	1.1.1.1	0x82e2	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Nov 25, 2024 20:11:34.405069113 CET	192.168.2.6	1.1.1.1	0x201e	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Nov 25, 2024 20:11:34.479845047 CET	192.168.2.6	1.1.1.1	0x1d0b	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Nov 25, 2024 20:11:34.552066088 CET	192.168.2.6	1.1.1.1	0x34c2	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:34.552555084 CET	192.168.2.6	1.1.1.1	0x39c1	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:34.706661940 CET	192.168.2.6	1.1.1.1	0xa76c	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:34.707247019 CET	192.168.2.6	1.1.1.1	0xe41e	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:34.849956989 CET	192.168.2.6	1.1.1.1	0x4147	Standard query (0)	twitter.com	28	IN (0x0001)	false
Nov 25, 2024 20:11:34.850368023 CET	192.168.2.6	1.1.1.1	0xf3a	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Nov 25, 2024 20:11:42.138303041 CET	192.168.2.6	1.1.1.1	0x4826	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 25, 2024 20:11:42.150779963 CET	192.168.2.6	1.1.1.1	0x30b5	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:42.206027985 CET	192.168.2.6	1.1.1.1	0x9d98	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:42.375116110 CET	192.168.2.6	1.1.1.1	0x2723	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:42.521426916 CET	192.168.2.6	1.1.1.1	0xe8	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Nov 25, 2024 20:11:42.530016899 CET	192.168.2.6	1.1.1.1	0xc37	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:42.676697969 CET	192.168.2.6	1.1.1.1	0x9f38	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Nov 25, 2024 20:11:44.423928022 CET	192.168.2.6	1.1.1.1	0x5ecc	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 25, 2024 20:12:05.837074041 CET	192.168.2.6	1.1.1.1	0x680a	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:12:05.977977991 CET	192.168.2.6	1.1.1.1	0x55c5	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 25, 2024 20:12:07.244153976 CET	192.168.2.6	1.1.1.1	0xe282	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:12:12.107188940 CET	192.168.2.6	1.1.1.1	0xf7b7	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 25, 2024 20:12:47.923355103 CET	192.168.2.6	1.1.1.1	0xef71	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 25, 2024 20:11:04.001089096 CET	1.1.1.1	192.168.2.6	0x992c	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 20:11:04.001089096 CET	1.1.1.1	192.168.2.6	0x992c	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:12.939026117 CET	1.1.1.1	192.168.2.6	0x61cf	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:13.096064091 CET	1.1.1.1	192.168.2.6	0x8b81	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:14.319787979 CET	1.1.1.1	192.168.2.6	0x8e4f	No error (0)	youtube.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:14.320507050 CET	1.1.1.1	192.168.2.6	0x64f5	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 20:11:14.320507050 CET	1.1.1.1	192.168.2.6	0x64f5	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:14.461162090 CET	1.1.1.1	192.168.2.6	0xf04f	No error (0)	youtube.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:14.465847015 CET	1.1.1.1	192.168.2.6	0x2844	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:14.600034952 CET	1.1.1.1	192.168.2.6	0x155f	No error (0)	youtube.com			28	IN (0x0001)	false
Nov 25, 2024 20:11:14.606195927 CET	1.1.1.1	192.168.2.6	0x1f8e	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Nov 25, 2024 20:11:14.610280037 CET	1.1.1.1	192.168.2.6	0xf459	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 20:11:14.610280037 CET	1.1.1.1	192.168.2.6	0xf459	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:14.614473104 CET	1.1.1.1	192.168.2.6	0x86e7	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:14.630419016 CET	1.1.1.1	192.168.2.6	0x2d64	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 20:11:14.630419016 CET	1.1.1.1	192.168.2.6	0x2d64	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:15.248919010 CET	1.1.1.1	192.168.2.6	0x9ee	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:15.252497911 CET	1.1.1.1	192.168.2.6	0x8e1d	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:15.452130079 CET	1.1.1.1	192.168.2.6	0xefc7	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 20:11:15.452130079 CET	1.1.1.1	192.168.2.6	0xefc7	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 20:11:15.452130079 CET	1.1.1.1	192.168.2.6	0xefc7	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:15.597860098 CET	1.1.1.1	192.168.2.6	0x6b6d	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:15.745434046 CET	1.1.1.1	192.168.2.6	0xb54b	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Nov 25, 2024 20:11:15.994419098 CET	1.1.1.1	192.168.2.6	0x8ca4	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:15.994743109 CET	1.1.1.1	192.168.2.6	0xd4c8	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:15.994743109 CET	1.1.1.1	192.168.2.6	0xd4c8	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:16.057677984 CET	1.1.1.1	192.168.2.6	0x33c9	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 20:11:16.057677984 CET	1.1.1.1	192.168.2.6	0x33c9	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:16.227348089 CET	1.1.1.1	192.168.2.6	0xa7a7	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:16.580535889 CET	1.1.1.1	192.168.2.6	0xd053	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 20:11:21.266272068 CET	1.1.1.1	192.168.2.6	0xfd71	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 20:11:21.266272068 CET	1.1.1.1	192.168.2.6	0xfd71	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 20:11:21.266272068 CET	1.1.1.1	192.168.2.6	0xfd71	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:21.491714954 CET	1.1.1.1	192.168.2.6	0xeed6	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:21.504786968 CET	1.1.1.1	192.168.2.6	0xe70b	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:21.639868021 CET	1.1.1.1	192.168.2.6	0xe194	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:26.321933985 CET	1.1.1.1	192.168.2.6	0x8c78	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:26.466876984 CET	1.1.1.1	192.168.2.6	0x2596	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:26.480748892 CET	1.1.1.1	192.168.2.6	0x92f4	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 20:11:26.480748892 CET	1.1.1.1	192.168.2.6	0x92f4	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:27.573518038 CET	1.1.1.1	192.168.2.6	0x7585	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 20:11:27.573518038 CET	1.1.1.1	192.168.2.6	0x7585	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:27.724666119 CET	1.1.1.1	192.168.2.6	0xa225	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:28.026640892 CET	1.1.1.1	192.168.2.6	0x4c9f	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:34.254743099 CET	1.1.1.1	192.168.2.6	0xbf6c	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 20:11:34.254743099 CET	1.1.1.1	192.168.2.6	0xbf6c	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:34.254743099 CET	1.1.1.1	192.168.2.6	0xbf6c	No error (0)	youtube-ui.l.google.com		142.250.181.46	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:34.254743099 CET	1.1.1.1	192.168.2.6	0xbf6c	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:34.254743099 CET	1.1.1.1	192.168.2.6	0xbf6c	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:34.254743099 CET	1.1.1.1	192.168.2.6	0xbf6c	No error (0)	youtube-ui.l.google.com		142.250.181.14	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:34.254743099 CET	1.1.1.1	192.168.2.6	0xbf6c	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:34.254743099 CET	1.1.1.1	192.168.2.6	0xbf6c	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:34.254743099 CET	1.1.1.1	192.168.2.6	0xbf6c	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:34.254743099 CET	1.1.1.1	192.168.2.6	0xbf6c	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:34.255100965 CET	1.1.1.1	192.168.2.6	0x68f2	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 20:11:34.255100965 CET	1.1.1.1	192.168.2.6	0x68f2	No error (0)	star-mini.c10r.facebook.com		157.240.195.35	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:34.328022003 CET	1.1.1.1	192.168.2.6	0x2faa	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 20:11:34.328022003 CET	1.1.1.1	192.168.2.6	0x2faa	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:34.403881073 CET	1.1.1.1	192.168.2.6	0x6e1e	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:34.403881073 CET	1.1.1.1	192.168.2.6	0x6e1e	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:34.403881073 CET	1.1.1.1	192.168.2.6	0x6e1e	No error (0)	youtube-ui.l.google.com		142.250.181.14	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:34.403881073 CET	1.1.1.1	192.168.2.6	0x6e1e	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:34.403881073 CET	1.1.1.1	192.168.2.6	0x6e1e	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:34.403881073 CET	1.1.1.1	192.168.2.6	0x6e1e	No error (0)	youtube-ui.l.google.com		142.250.181.46	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:34.403881073 CET	1.1.1.1	192.168.2.6	0x6e1e	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:34.403881073 CET	1.1.1.1	192.168.2.6	0x6e1e	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:34.403881073 CET	1.1.1.1	192.168.2.6	0x6e1e	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:34.404308081 CET	1.1.1.1	192.168.2.6	0x2e4f	No error (0)	star-mini.c10r.facebook.com		157.240.196.35	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:34.479085922 CET	1.1.1.1	192.168.2.6	0xdc3f	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:34.551218033 CET	1.1.1.1	192.168.2.6	0x82e2	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 25, 2024 20:11:34.551218033 CET	1.1.1.1	192.168.2.6	0x82e2	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 25, 2024 20:11:34.551218033 CET	1.1.1.1	192.168.2.6	0x82e2	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 25, 2024 20:11:34.551218033 CET	1.1.1.1	192.168.2.6	0x82e2	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 25, 2024 20:11:34.551325083 CET	1.1.1.1	192.168.2.6	0x201e	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Nov 25, 2024 20:11:34.628993034 CET	1.1.1.1	192.168.2.6	0x1d0b	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Nov 25, 2024 20:11:34.700426102 CET	1.1.1.1	192.168.2.6	0x39c1	No error (0)	twitter.com		104.244.42.129	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:34.701474905 CET	1.1.1.1	192.168.2.6	0x34c2	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 20:11:34.701474905 CET	1.1.1.1	192.168.2.6	0x34c2	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:34.701474905 CET	1.1.1.1	192.168.2.6	0x34c2	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:34.701474905 CET	1.1.1.1	192.168.2.6	0x34c2	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:34.701474905 CET	1.1.1.1	192.168.2.6	0x34c2	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:34.849261999 CET	1.1.1.1	192.168.2.6	0xa76c	No error (0)	twitter.com		104.244.42.129	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:34.849750996 CET	1.1.1.1	192.168.2.6	0xe41e	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:34.849750996 CET	1.1.1.1	192.168.2.6	0xe41e	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:34.849750996 CET	1.1.1.1	192.168.2.6	0xe41e	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:34.849750996 CET	1.1.1.1	192.168.2.6	0xe41e	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:40.018342018 CET	1.1.1.1	192.168.2.6	0xdfdc	No error (0)	g-bing-com.ax-0001.ax-msedge.net	ax-0001.ax-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 20:11:40.018342018 CET	1.1.1.1	192.168.2.6	0xdfdc	No error (0)	ax-0001.ax-msedge.net		150.171.27.10	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:40.018342018 CET	1.1.1.1	192.168.2.6	0xdfdc	No error (0)	ax-0001.ax-msedge.net		150.171.28.10	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:42.373009920 CET	1.1.1.1	192.168.2.6	0x30b5	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:42.373009920 CET	1.1.1.1	192.168.2.6	0x30b5	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:42.373009920 CET	1.1.1.1	192.168.2.6	0x30b5	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:42.373009920 CET	1.1.1.1	192.168.2.6	0x30b5	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:42.520534992 CET	1.1.1.1	192.168.2.6	0x2723	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:42.520534992 CET	1.1.1.1	192.168.2.6	0x2723	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:42.520534992 CET	1.1.1.1	192.168.2.6	0x2723	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:42.520534992 CET	1.1.1.1	192.168.2.6	0x2723	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:42.528811932 CET	1.1.1.1	192.168.2.6	0x9d98	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 20:11:42.528811932 CET	1.1.1.1	192.168.2.6	0x9d98	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:42.675966024 CET	1.1.1.1	192.168.2.6	0xc37	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:11:42.740905046 CET	1.1.1.1	192.168.2.6	0xe8	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 25, 2024 20:11:42.740905046 CET	1.1.1.1	192.168.2.6	0xe8	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 25, 2024 20:11:42.740905046 CET	1.1.1.1	192.168.2.6	0xe8	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 25, 2024 20:11:42.740905046 CET	1.1.1.1	192.168.2.6	0xe8	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 25, 2024 20:11:45.733006954 CET	1.1.1.1	192.168.2.6	0xb044	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 20:11:45.733006954 CET	1.1.1.1	192.168.2.6	0xb044	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 20:12:05.976695061 CET	1.1.1.1	192.168.2.6	0x680a	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:12:07.389267921 CET	1.1.1.1	192.168.2.6	0xe282	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 20:12:07.389267921 CET	1.1.1.1	192.168.2.6	0xe282	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 25, 2024 20:12:12.100928068 CET	1.1.1.1	192.168.2.6	0x5b4c	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49728	34.107.221.82	80	8044	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 20:11:14.446259022 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 20:11:15.578346014 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 25 Nov 2024 08:50:48 GMT Age: 37227 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49743	34.107.221.82	80	8044	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 20:11:16.189760923 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 20:11:17.370151043 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 24 Nov 2024 19:39:57 GMT Age: 84680 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49747	34.107.221.82	80	8044	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 20:11:16.991758108 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 20:11:18.083441019 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 25 Nov 2024 05:00:13 GMT Age: 51064 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 20:11:21.074543953 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 20:11:21.407756090 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 25 Nov 2024 05:00:13 GMT Age: 51068 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 20:11:26.262140989 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 20:11:26.577317953 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 25 Nov 2024 05:00:13 GMT Age: 51073 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 20:11:27.441713095 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 20:11:27.758018017 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 25 Nov 2024 05:00:13 GMT Age: 51074 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 20:11:27.879009008 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 20:11:28.196224928 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 25 Nov 2024 05:00:13 GMT Age: 51075 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 20:11:31.043684006 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 20:11:31.358484030 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 25 Nov 2024 05:00:13 GMT Age: 51078 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 20:11:33.738220930 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 20:11:34.053595066 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 25 Nov 2024 05:00:13 GMT Age: 51080 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 20:11:35.668550968 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 20:11:35.983578920 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 25 Nov 2024 05:00:13 GMT Age: 51082 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 20:11:43.379354000 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 20:11:43.818106890 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 25 Nov 2024 05:00:13 GMT Age: 51090 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 20:11:43.844239950 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 20:11:44.159435987 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 25 Nov 2024 05:00:13 GMT Age: 51091 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 20:11:45.012388945 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 20:11:45.331362009 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 25 Nov 2024 05:00:13 GMT Age: 51092 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 20:11:45.710287094 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 20:11:46.030575991 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 25 Nov 2024 05:00:13 GMT Age: 51092 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 20:11:56.037072897 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 20:12:06.166320086 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 20:12:07.243918896 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 20:12:07.564505100 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 25 Nov 2024 05:00:13 GMT Age: 51114 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 20:12:13.352715015 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 20:12:13.671134949 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 25 Nov 2024 05:00:13 GMT Age: 51120 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 20:12:14.578098059 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 20:12:14.896189928 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 25 Nov 2024 05:00:13 GMT Age: 51121 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 20:12:24.910619020 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 20:12:35.039727926 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 20:12:45.169047117 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 20:12:49.192725897 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 20:12:49.511795044 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 25 Nov 2024 05:00:13 GMT Age: 51156 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 20:12:59.526127100 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 20:13:09.655770063 CET	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49763	34.107.221.82	80	8044	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 20:11:21.197010994 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49776	34.107.221.82	80	8044	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 20:11:26.285474062 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49785	34.107.221.82	80	8044	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 20:11:27.561155081 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49787	34.107.221.82	80	8044	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 20:11:27.960575104 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49789	34.107.221.82	80	8044	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 20:11:29.698679924 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 20:11:30.023137093 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 03:13:58 GMT Age: 57451 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 20:11:32.094368935 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 20:11:32.410547018 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 03:13:58 GMT Age: 57454 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 20:11:34.056910038 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 20:11:34.371278048 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 03:13:58 GMT Age: 57456 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 20:11:35.986548901 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 20:11:36.304864883 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 03:13:58 GMT Age: 57458 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 20:11:43.821845055 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 20:11:44.136914968 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 03:13:58 GMT Age: 57465 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 20:11:44.165826082 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 20:11:44.481745958 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 03:13:58 GMT Age: 57466 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 20:11:45.334337950 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 20:11:45.649571896 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 03:13:58 GMT Age: 57467 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 20:11:46.033477068 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 20:11:46.352107048 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 03:13:58 GMT Age: 57468 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 20:11:56.353569984 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 20:12:06.482831001 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 20:12:07.567610025 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 20:12:07.884624004 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 03:13:58 GMT Age: 57489 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 20:12:13.674455881 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 20:12:13.988987923 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 03:13:58 GMT Age: 57495 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 20:12:14.905837059 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 20:12:15.227145910 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 03:13:58 GMT Age: 57497 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 20:12:25.249253035 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 20:12:35.378377914 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 20:12:45.507707119 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 20:12:49.515074015 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 20:12:49.831964970 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 03:13:58 GMT Age: 57531 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 20:12:59.850815058 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 20:13:09.976934910 CET	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	0
Start time:	14:11:05
Start date:	25/11/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xe60000
File size:	922'624 bytes
MD5 hash:	3ADD5A1A6F0235A959501F89D3E16242
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	14:11:05
Start date:	25/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0x9c0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	14:11:05
Start date:	25/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	14:11:07
Start date:	25/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0x9c0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	14:11:07
Start date:	25/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	14:11:08
Start date:	25/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0x9c0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	14:11:08
Start date:	25/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	14:11:08
Start date:	25/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0x9c0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	14:11:08
Start date:	25/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	14:11:08
Start date:	25/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0x9c0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	14:11:08
Start date:	25/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	14:11:08
Start date:	25/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	14:11:08
Start date:	25/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	14:11:09
Start date:	25/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	14:11:10
Start date:	25/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2296 -parentBuildID 20230927232528 -prefsHandle 2216 -prefMapHandle 2200 -prefsLen 25250 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5cf237a4-7973-4ec8-84ee-07681bc278bc} 8044 "\\.\pipe\gecko-crash-server-pipe.8044" 1bda816f510 socket
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	19
Start time:	14:11:11
Start date:	25/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4468 -parentBuildID 20230927232528 -prefsHandle 4460 -prefMapHandle 3996 -prefsLen 26265 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a5d1342-43e8-4a15-9f70-b771ca3599d0} 8044 "\\.\pipe\gecko-crash-server-pipe.8044" 1bdba5c3110 rdd
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	26
Start time:	14:11:26
Start date:	25/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5088 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 2504 -prefMapHandle 5108 -prefsLen 33093 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {15cd57e1-877b-49b0-a41c-7dabf754dcb4} 8044 "\\.\pipe\gecko-crash-server-pipe.8044" 1bda8172310 utility
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.4%
Total number of Nodes:	1540
Total number of Limit Nodes:	54

Executed Functions

Function 00E642DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00E6430D

Part of subcall function 00E66B57: _wcslen.LIBCMT ref: 00E66B6A

GetCurrentProcess.KERNEL32(?,00EFCB64,00000000,?,?), ref: 00E64422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00E64429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00E64454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00E64466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00E64474
FreeLibrary.KERNEL32(00000000,?,?), ref: 00E6447B
GetSystemInfo.KERNEL32(?,?,?), ref: 00E644A0

Strings

GetNativeSystemInfo, xrefs: 00E64460
kernel32.dll, xrefs: 00E6444F
|O, xrefs: 00EA36F8

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 7d6e8da77edcb8850a8473d8d8558e590fbbb0e87a818eff7f081d09210f73d6
Instruction ID: 0a7a4a1367e33d15900d209d9e9337fca000f8ba6528b3730500a93f0bcc9356
Opcode Fuzzy Hash: 7d6e8da77edcb8850a8473d8d8558e590fbbb0e87a818eff7f081d09210f73d6
Instruction Fuzzy Hash: E8A106B290A3CCCFC721C7B97C451E57FE67B26364B186899E481B7B62D6304508FB22

Function 00E642A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00E650AA,?,?,00000000,00000000), ref: 00E642B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00E650AA,?,?,00000000,00000000), ref: 00E642C9
LoadResource.KERNEL32(?,00000000,?,?,00E650AA,?,?,00000000,00000000,?,?,?,?,?,?,00E64F20), ref: 00EA35BE
SizeofResource.KERNEL32(?,00000000,?,?,00E650AA,?,?,00000000,00000000,?,?,?,?,?,?,00E64F20), ref: 00EA35D3
LockResource.KERNEL32(00E650AA,?,?,00E650AA,?,?,00000000,00000000,?,?,?,?,?,?,00E64F20,?), ref: 00EA35E6

Strings

SCRIPT, xrefs: 00E642BF

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: eafbd54413dcb70be702a1cbb25d729d3f160a5fb4b008e7acca7ece14c93a87
Instruction ID: 0c715c6e35e63fb6a7e5c9405f955d4580cef84b40fce3885f29be30013ef7e1
Opcode Fuzzy Hash: eafbd54413dcb70be702a1cbb25d729d3f160a5fb4b008e7acca7ece14c93a87
Instruction Fuzzy Hash: 78117CB0240704BFE7219B66ED58F677BB9EBC5B95F304169F502E62A0DB71EC14C620

Function 00ECDBBE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,"R), ref: 00ECDBCE
GetFileAttributesW.KERNELBASE(?), ref: 00ECDBDD
FindFirstFileW.KERNEL32(?,?), ref: 00ECDBEE
FindClose.KERNEL32(00000000), ref: 00ECDBFA

Strings

"R, xrefs: 00ECDBCA

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID: "R
API String ID: 2695905019-1746183819
Opcode ID: 73df1e0be4a3bc6f9e9f7528e0a1bb5a3f80be7cd026672ca653d2e3ac519e6f
Instruction ID: dcb3cd32175a2bb64639f84c6c76064a85b1a8b4cf410afb5d1ee3ff86afa7b4
Opcode Fuzzy Hash: 73df1e0be4a3bc6f9e9f7528e0a1bb5a3f80be7cd026672ca653d2e3ac519e6f
Instruction Fuzzy Hash: 94F0A7304149185B92206B789E0DDBA776C9F81334B304716F435E20F0EBB26959C595

Function 00EA2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00E62B6B

Part of subcall function 00E63A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00F31418,?,00E62E7F,?,?,?,00000000), ref: 00E63A78

Part of subcall function 00E69CB3: _wcslen.LIBCMT ref: 00E69CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00F22224), ref: 00EA2C10
ShellExecuteW.SHELL32(00000000,?,?,00F22224), ref: 00EA2C17

Strings

runas, xrefs: 00EA2C0B

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 4504a88034555ca8e4711ec6524304778f7b100f00c2ce539a648b575324d69d
Instruction ID: 6f6386b87cad41a48d12edaeb11aefbeaa81f7396502e81aa71ce065eeda90fc
Opcode Fuzzy Hash: 4504a88034555ca8e4711ec6524304778f7b100f00c2ce539a648b575324d69d
Instruction Fuzzy Hash: D111AF31288245AAC704FF74F8519BEB7E8AB957A4F54342DF182721A3CF319A49E712

Function 00E84CE8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00E928E9,(,00E84CBE,00000000,00F288B8,0000000C,00E84E15,(,00000002,00000000,?,00E928E9,00000003,00E92DF7,?,?), ref: 00E84D09
TerminateProcess.KERNEL32(00000000,?,00E928E9,00000003,00E92DF7,?,?,?,00E8E6D1,?,00F28A48,00000010,00E64F4A,?,?,00000000), ref: 00E84D10
ExitProcess.KERNEL32 ref: 00E84D22

Strings

(, xrefs: 00E84CEA

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID: (
API String ID: 1703294689-2063206799
Opcode ID: 8c60731689ea6db52b8d6cbf6582964a2bfb84c045ad3246ae8519958375c57b
Instruction ID: 478ee07082e5b1fa9b45883d52d1c386a008be264d02cc1554eea81d115ecd99
Opcode Fuzzy Hash: 8c60731689ea6db52b8d6cbf6582964a2bfb84c045ad3246ae8519958375c57b
Instruction Fuzzy Hash: 7CE0B6B1001149AFCF12BF65DE09A687B69EB81785B205054FC0DAA1A2DB35ED56DB80

Function 00ECD4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00ECD501
Process32FirstW.KERNEL32(00000000,?), ref: 00ECD50F
Process32NextW.KERNEL32(00000000,?), ref: 00ECD52F
CloseHandle.KERNELBASE(00000000), ref: 00ECD5DC

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: c6ba6ebaa2c874349c6a1ada1e0cbe4a4f8c542b091cda2a24e8ca185c867246
Instruction ID: 80565d4bc74b217e3d09fb86ee31d40304d6b9eaea9f4e9c763dfe6d4a24fb65
Opcode Fuzzy Hash: c6ba6ebaa2c874349c6a1ada1e0cbe4a4f8c542b091cda2a24e8ca185c867246
Instruction Fuzzy Hash: D5318F711082009FD304EF54DD81EABBBF8AFD9394F24152DF581A31A2EB729949CB92

Function 00EEAFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 00EEB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00EEB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00EEB1D4
_wcslen.LIBCMT ref: 00EEB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00EEB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00EEB236
_wcslen.LIBCMT ref: 00EEB332

Part of subcall function 00ED05A7: GetStdHandle.KERNEL32(000000F6), ref: 00ED05C6

_wcslen.LIBCMT ref: 00EEB34B
_wcslen.LIBCMT ref: 00EEB366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00EEB3B6
GetLastError.KERNEL32(00000000), ref: 00EEB407
CloseHandle.KERNEL32(?), ref: 00EEB439
CloseHandle.KERNEL32(00000000), ref: 00EEB44A
CloseHandle.KERNEL32(00000000), ref: 00EEB45C
CloseHandle.KERNEL32(00000000), ref: 00EEB46E
CloseHandle.KERNEL32(?), ref: 00EEB4E3

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: cec4579529a14266630c188cbc26d79b94924cc734843a616fa8547dbf6e3b30
Instruction ID: f275052cccd3f35b2acaef2d232986f94780f817a53bb17a128f1ea946615576
Opcode Fuzzy Hash: cec4579529a14266630c188cbc26d79b94924cc734843a616fa8547dbf6e3b30
Instruction Fuzzy Hash: 83F1CC316083449FC724EF25D891B6FBBE5AF85314F18945DF899AB2A2DB30EC04CB52

Function 00E6D730 Relevance: 21.6, APIs: 14, Instructions: 631windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00E6D807
timeGetTime.WINMM ref: 00E6DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E6DB28
TranslateMessage.USER32(?), ref: 00E6DB7B
DispatchMessageW.USER32(?), ref: 00E6DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E6DB9F
Sleep.KERNELBASE(0000000A), ref: 00E6DBB1

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 50de229d19770b8373d0f16a6b494d767c4aac4ab0e9e5895cbb4b3fb5071ecb
Instruction ID: 96223b3abc3af53e5b80ac887e679aaa783146790bcdd6f23add468af623132b
Opcode Fuzzy Hash: 50de229d19770b8373d0f16a6b494d767c4aac4ab0e9e5895cbb4b3fb5071ecb
Instruction Fuzzy Hash: 05422030B48245DFE728CF24DC84BAAB7E0FF85358F98A55DE559A7291C770E844CB82

Function 00E62CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00E62D07
RegisterClassExW.USER32(00000030), ref: 00E62D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E62D42
InitCommonControlsEx.COMCTL32(?), ref: 00E62D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00E62D6F
LoadIconW.USER32(000000A9), ref: 00E62D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00E62D94

Strings

+, xrefs: 00E62CF0
AutoIt v3 GUI, xrefs: 00E62D23
TaskbarCreated, xrefs: 00E62D37
0, xrefs: 00E62CE9

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 0d5c3dde379aee1e2096059da2fbeda73496277ebc7a1e422b05e58ad9dc8608
Instruction ID: e509c690eca4d0afe3341efbf34c5ae69c3c8bc91459ffc3baceaad507ed91cd
Opcode Fuzzy Hash: 0d5c3dde379aee1e2096059da2fbeda73496277ebc7a1e422b05e58ad9dc8608
Instruction Fuzzy Hash: 5721E2B190220CEFDB00DFA5E949BEDBBB5FB48710F20811AE611B62A0D7B15548DF90

Function 00EA065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00EA039A: CreateFileW.KERNELBASE(00000000,00000000,?,00EA0704,?,?,00000000,?,00EA0704,00000000,0000000C), ref: 00EA03B7

GetLastError.KERNEL32 ref: 00EA076F
__dosmaperr.LIBCMT ref: 00EA0776
GetFileType.KERNELBASE(00000000), ref: 00EA0782
GetLastError.KERNEL32 ref: 00EA078C
__dosmaperr.LIBCMT ref: 00EA0795
CloseHandle.KERNEL32(00000000), ref: 00EA07B5
CloseHandle.KERNEL32(?), ref: 00EA08FF
GetLastError.KERNEL32 ref: 00EA0931
__dosmaperr.LIBCMT ref: 00EA0938

Strings

H, xrefs: 00EA08BD

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: b9cd2e5c4225b71f686d2098bf64f37961aa17e4b036135c99e201699330fb4f
Instruction ID: c82ed8b3607d37e3009a56678f97ea8ff5c00aed19b6560f8b77df2dc4dee840
Opcode Fuzzy Hash: b9cd2e5c4225b71f686d2098bf64f37961aa17e4b036135c99e201699330fb4f
Instruction Fuzzy Hash: AEA12932A001088FDF19EF78D851BAE7BE1EB4A324F14115AF815BF391DB31A816CB91

Function 00E6344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E63A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00F31418,?,00E62E7F,?,?,?,00000000), ref: 00E63A78

Part of subcall function 00E63357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00E63379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00E6356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00EA318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00EA31CE
RegCloseKey.ADVAPI32(?), ref: 00EA3210
_wcslen.LIBCMT ref: 00EA3277
_wcslen.LIBCMT ref: 00EA3286

Strings

\Include\, xrefs: 00E63527
Include, xrefs: 00EA3184, 00EA31C5
\, xrefs: 00EA328C
Software\AutoIt v3\AutoIt, xrefs: 00E63560

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 849667ab5a86d0290056cc034089f62735dcf306f1cd0e7e5371fd233a4fac97
Instruction ID: 4188a32e2ef4c5c3621befaa8c196437550a07922f27516679df3a3d43d5f711
Opcode Fuzzy Hash: 849667ab5a86d0290056cc034089f62735dcf306f1cd0e7e5371fd233a4fac97
Instruction Fuzzy Hash: 2F71E7715043099EC314EF69EC819ABBBE8FF89360F50142EF545E71B1DB309A48DB62

Function 00E62B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00E62B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00E62B9D
LoadIconW.USER32(00000063), ref: 00E62BB3
LoadIconW.USER32(000000A4), ref: 00E62BC5
LoadIconW.USER32(000000A2), ref: 00E62BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00E62BEF
RegisterClassExW.USER32(?), ref: 00E62C40

Part of subcall function 00E62CD4: GetSysColorBrush.USER32(0000000F), ref: 00E62D07
Part of subcall function 00E62CD4: RegisterClassExW.USER32(00000030), ref: 00E62D31
Part of subcall function 00E62CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E62D42
Part of subcall function 00E62CD4: InitCommonControlsEx.COMCTL32(?), ref: 00E62D5F
Part of subcall function 00E62CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00E62D6F
Part of subcall function 00E62CD4: LoadIconW.USER32(000000A9), ref: 00E62D85
Part of subcall function 00E62CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00E62D94

Strings

0, xrefs: 00E62C0F
AutoIt v3, xrefs: 00E62C2F
#, xrefs: 00E62C16

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 04dabdcf967b049b5cc809e087ae298fac309fb2adecc26a2b386b58610756fa
Instruction ID: 689906d08e27eee54b5113330b6df2456ae70a8fddd76aafa2b6245f95747869
Opcode Fuzzy Hash: 04dabdcf967b049b5cc809e087ae298fac309fb2adecc26a2b386b58610756fa
Instruction Fuzzy Hash: BC212C71E0031CAFDB109FA6ED55AAA7FB6FB48B60F10001AE600B67A0D7B11554EF90

Function 00E63170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00E6316A,?,?), ref: 00E631D8
KillTimer.USER32(?,00000001,?,?,?,?,?,00E6316A,?,?), ref: 00E63204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00E63227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00E6316A,?,?), ref: 00E63232
CreatePopupMenu.USER32 ref: 00E63246
PostQuitMessage.USER32(00000000), ref: 00E63267

Strings

TaskbarCreated, xrefs: 00E6322D

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: c18ad7d4955eb5742855c82c8997399a5823b9acdcc01d4f332aaf061d92d1a0
Instruction ID: 36939157f9d2895540cfdbfa0f322bf9525a4202c402c7efe0fbae9b88d7d6f1
Opcode Fuzzy Hash: c18ad7d4955eb5742855c82c8997399a5823b9acdcc01d4f332aaf061d92d1a0
Instruction Fuzzy Hash: 51414B312C4208ABDB152B78BD1DBB93659F7463E8F24311AF601F61E3C7719A44E761

Function 00E61410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00E61459
CoUninitialize.COMBASE ref: 00E614F8
UnregisterHotKey.USER32(?), ref: 00E616DD
DestroyWindow.USER32(?), ref: 00EA24B9
FreeLibrary.KERNEL32(?), ref: 00EA251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00EA254B

Strings

close all, xrefs: 00E61454

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: e9e7facacb65adfc0aac6ea84634e2b9464240e5480832fb01bb9f77e07e2602
Instruction ID: ea701d87f49935295f5475736a938edf426fe9e6b65b2a6262a164c5f36443c0
Opcode Fuzzy Hash: e9e7facacb65adfc0aac6ea84634e2b9464240e5480832fb01bb9f77e07e2602
Instruction Fuzzy Hash: 82D1AC30701212CFCB1AEF19D595A68F7A0FF49354F28A1ADE54A7B261DB30AC12CF51

Function 00E62C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00E62C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00E62CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00E61CAD,?), ref: 00E62CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00E61CAD,?), ref: 00E62CCF

Strings

AutoIt v3, xrefs: 00E62C89, 00E62C8E, 00E62C8F
edit, xrefs: 00E62CAC

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: ec0a4c2e04c2e62bc38266c998294b7709f266ca00da5047cbb830895c88fb5a
Instruction ID: 61efe818f8154aabce11b09ed2d8f8fcb1bb9d33da8f27e544ea75cf27e4d636
Opcode Fuzzy Hash: ec0a4c2e04c2e62bc38266c998294b7709f266ca00da5047cbb830895c88fb5a
Instruction Fuzzy Hash: 9FF0D07554029C7AE73117276C09E777EBEE7C6F60B20105AF900A35A0C6A21858EE70

Function 00E63B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00E63B0F,SwapMouseButtons,00000004,?), ref: 00E63B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00E63B0F,SwapMouseButtons,00000004,?), ref: 00E63B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00E63B0F,SwapMouseButtons,00000004,?), ref: 00E63B83

Strings

Control Panel\Mouse, xrefs: 00E63B3E

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 4de54b71f5f10f7c09d769dc8ce120352c288086c01f1ebfea66fc3e2e02ab02
Instruction ID: 14c7a739addf3426971fa551c3058df6e1932d126b73a20e2ae0f3a41da30be0
Opcode Fuzzy Hash: 4de54b71f5f10f7c09d769dc8ce120352c288086c01f1ebfea66fc3e2e02ab02
Instruction Fuzzy Hash: 34115AB1550208FFDB208FA5EC44EEEBBB8EF41794B205459A805E7110D6319E449760

Function 00E63923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00EA33A2

Part of subcall function 00E66B57: _wcslen.LIBCMT ref: 00E66B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00E63A04

Strings

Line: , xrefs: 00EA33EB

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 9515c30acb9d5079297af5837338713e7a297bf27616fc8d7f14e782c1b74ca1
Instruction ID: a1fe0f1e5db330481b4b3af9ac43294242dd9fc30fd1f5696861abdd15e15b33
Opcode Fuzzy Hash: 9515c30acb9d5079297af5837338713e7a297bf27616fc8d7f14e782c1b74ca1
Instruction Fuzzy Hash: BB31F671488304AAD724EB20EC45BEB77D8AF84764F14652AF599A31D1DB709648CBC2

Function 00E7FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00E80668

Part of subcall function 00E832A4: RaiseException.KERNEL32(?,?,?,00E8068A,?,00F31444,?,?,?,?,?,?,00E8068A,00E61129,00F28738,00E61129), ref: 00E83304

__CxxThrowException@8.LIBVCRUNTIME ref: 00E80685

Strings

Unknown exception, xrefs: 00E80692

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: a8c0d12a8daf92e75e42bec7aa18cb8377e5ec9abc24ff1bdfeb254e58d43fc5
Instruction ID: 4f24720836fb46708830ee014564cc9507464ca72941d632b48b1513c76a829c
Opcode Fuzzy Hash: a8c0d12a8daf92e75e42bec7aa18cb8377e5ec9abc24ff1bdfeb254e58d43fc5
Instruction Fuzzy Hash: CBF0223090020DB78B10BAB4E856D9E7BAC5E00354B60A130F92CB69E1EF31DA2AC781

Function 00E610F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00E61BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00E61BF4
Part of subcall function 00E61BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00E61BFC
Part of subcall function 00E61BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00E61C07
Part of subcall function 00E61BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00E61C12
Part of subcall function 00E61BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00E61C1A
Part of subcall function 00E61BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00E61C22

Part of subcall function 00E61B4A: RegisterWindowMessageW.USER32(00000004,?,00E612C4), ref: 00E61BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00E6136A
OleInitialize.OLE32 ref: 00E61388
CloseHandle.KERNEL32(00000000,00000000), ref: 00EA24AB

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 1b831cb4b4d9e9ff4beba2af510549539251a7a62278957aee84fa5e3d9b338b
Instruction ID: 829475d04bdf0bc3baaae8ff99b95495de9f3fc1c3cac8f10518bb94669bb380
Opcode Fuzzy Hash: 1b831cb4b4d9e9ff4beba2af510549539251a7a62278957aee84fa5e3d9b338b
Instruction Fuzzy Hash: 6D71BBB590120C8FC384DF79FD466653AE2FBC93B4728A22AD50AE7362EB304405EF54

Function 00ECC161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E63923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00E63A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00ECC259
KillTimer.USER32(?,00000001,?,?), ref: 00ECC261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00ECC270

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 4aeed9763ef37402a1e5ae84eac784673e85fcbfcb1706d0a38885c01d592ff0
Instruction ID: 75b67556134d4cdae4d3e0a22cea8d8e75f0ac4de3b07ca847b3efcc8b5848b5
Opcode Fuzzy Hash: 4aeed9763ef37402a1e5ae84eac784673e85fcbfcb1706d0a38885c01d592ff0
Instruction Fuzzy Hash: D131E570900744AFEB329F748995BE7BBECAB06308F24109ED1DEB3251C3755A89CB51

Function 00E986AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,00E985CC,?,00F28CC8,0000000C), ref: 00E98704
GetLastError.KERNEL32(?,00E985CC,?,00F28CC8,0000000C), ref: 00E9870E
__dosmaperr.LIBCMT ref: 00E98739

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 37a7d8b32087a9c91d7803d3be2ca8d5f96ceb8f9d9e866ebc4bc3768694c810
Instruction ID: af07ecaf71b9c58d8388b6ce0340a8579392cbd5d408702357a584d25cef8170
Opcode Fuzzy Hash: 37a7d8b32087a9c91d7803d3be2ca8d5f96ceb8f9d9e866ebc4bc3768694c810
Instruction Fuzzy Hash: 42012B336056201ADE25A274AA45B7E67994BC377CF39215AFD18FF1F3DEA08C81C690

Function 00E6DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 00E6DB7B
DispatchMessageW.USER32(?), ref: 00E6DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E6DB9F
Sleep.KERNELBASE(0000000A), ref: 00E6DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00EB1CC9

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 2e46a50c99e9186927362fa0b37028cf8b6baead88d593e7d1ae80c0e7641041
Instruction ID: 005537d17dd7dbd825fdb7a27417150ac2d661e1855cc56f97b647b9392d7ce9
Opcode Fuzzy Hash: 2e46a50c99e9186927362fa0b37028cf8b6baead88d593e7d1ae80c0e7641041
Instruction Fuzzy Hash: 20F05E306483489BE734DBB19C59FEA73A8EB84364F605919E61AA30D0DB30A448DB25

Function 00E71310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00E717F6

Strings

CALL, xrefs: 00E717C6

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: e8cdea26483c71dcff123b2ff972717b36421cab514c740955299bb955f08b2d
Instruction ID: e746822c239d9234ec0a29bd647956599936f30790e8c9c01fc6391344f23067
Opcode Fuzzy Hash: e8cdea26483c71dcff123b2ff972717b36421cab514c740955299bb955f08b2d
Instruction Fuzzy Hash: 49228C706083419FC714DF18C480B6ABBF1BF85314F28A9ADF49AAB361D735E945CB52

Function 00E62DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00EA2C8C

Part of subcall function 00E63AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E63A97,?,?,00E62E7F,?,?,?,00000000), ref: 00E63AC2

Part of subcall function 00E62DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00E62DC4

Strings

X, xrefs: 00EA2C5A

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: 9cc279393e197fe0dccedbba6e32ef2bd682b6c255d6074cc1564426a714318c
Instruction ID: db44c0c2b7b6bb721f9cea8d5bd7e6add5e8e77308197ce6d6851482f7c2ff76
Opcode Fuzzy Hash: 9cc279393e197fe0dccedbba6e32ef2bd682b6c255d6074cc1564426a714318c
Instruction Fuzzy Hash: 4721A571A002989FDB01EF94D845BEE7BF9AF49314F009059E505FB241DBB45A898F61

Function 00E63837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00E63908

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: f5522605353eeb4c5eec2e81ee137310d925c16a5c2baa75ff278e3026391899
Instruction ID: 9e65520ce96d5222c8b775e0c39679ba47090ce20ae8924674750bf22742d830
Opcode Fuzzy Hash: f5522605353eeb4c5eec2e81ee137310d925c16a5c2baa75ff278e3026391899
Instruction Fuzzy Hash: BD31D5B05043018FD720DF34D8857D7BBE8FB49358F00092EF599A7280E771AA44CB52

Function 00E7F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00E7F661

Part of subcall function 00E6D730: GetInputState.USER32 ref: 00E6D807

Sleep.KERNEL32(00000000), ref: 00EBF2DE

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 58b712a12dec4f540f87e53fe163443682432881aceaadca3d322cc32c254bf4
Instruction ID: 0b76df242120dfad8f075735a5fd7d3eac386b9356cf78c4b37c98a9d4cb579d
Opcode Fuzzy Hash: 58b712a12dec4f540f87e53fe163443682432881aceaadca3d322cc32c254bf4
Instruction Fuzzy Hash: 60F082312802059FD310EF75E945BAAB7E9EF45760F10402AE85AE7360DB70A844CB91

Function 00E64ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E64E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00E64EDD,?,00F31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E64E9C
Part of subcall function 00E64E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00E64EAE
Part of subcall function 00E64E90: FreeLibrary.KERNEL32(00000000,?,?,00E64EDD,?,00F31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E64EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00F31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E64EFD

Part of subcall function 00E64E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00EA3CDE,?,00F31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E64E62
Part of subcall function 00E64E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00E64E74
Part of subcall function 00E64E59: FreeLibrary.KERNEL32(00000000,?,?,00EA3CDE,?,00F31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E64E87

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 2c6d6eb586b4f51a3736e3e833af5e1d1b821be7f130905608207e4da11f037e
Instruction ID: 94fc307032614b0a6caa0deac7f6a3e9c9087209442abb67b148e2e44c7a570e
Opcode Fuzzy Hash: 2c6d6eb586b4f51a3736e3e833af5e1d1b821be7f130905608207e4da11f037e
Instruction Fuzzy Hash: A8112372780305AACB15BB70EC02FAD77E4AF54790F20A42EF542BA1C1EE71AA059790

Function 00E98402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00E98440

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 3efc5d9aa73374b20e59d4146ec217bec9bf2b2c7928ce2b456d946b5c7c8a81
Instruction ID: b7cc17255eb1b3bf0bf0d3536907ba0d6dae5b00f20b8196cff19733bdf245f2
Opcode Fuzzy Hash: 3efc5d9aa73374b20e59d4146ec217bec9bf2b2c7928ce2b456d946b5c7c8a81
Instruction Fuzzy Hash: 2A11187590410AAFCF05DF58E9419DE7BF5EF49314F104069F818AB312DA31EA11CBA5

Function 00E8E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 916079a87ceafdeab4c5b2a1e0eddd43a6289c5a531f8de33bab7d4ad9100dec
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 67F02832510A14AADF313A698C05B9A33D89F92334F142719F52DB33E2EB70D80297A5

Function 00E93820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00F31444,?,00E7FDF5,?,?,00E6A976,00000010,00F31440,00E613FC,?,00E613C6,?,00E61129), ref: 00E93852

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 3d8931f84fb543e10135f6dd74ca432f9014297103b9c1a2ac9ff3d0323240c5
Instruction ID: 35c66326fbdca0c7431b951a519bfbb3aa920fb000f67003cef3ac0f95a3d7eb
Opcode Fuzzy Hash: 3d8931f84fb543e10135f6dd74ca432f9014297103b9c1a2ac9ff3d0323240c5
Instruction Fuzzy Hash: 83E0E53110122956DE3536779C04BDA36C9AF427B8F152221BC09B69D0CB10DD0192E0

Function 00E64F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00F31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E64F6D

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 19fe29fcb2c9596cd6cc5928184600bb2f8deff033bf91768471c114aae89dd0
Instruction ID: c9cfe92fc7e0d4fa623fe0257eeb84b24da28eb8ec34d448fcc66fdb02bffa4f
Opcode Fuzzy Hash: 19fe29fcb2c9596cd6cc5928184600bb2f8deff033bf91768471c114aae89dd0
Instruction Fuzzy Hash: 8EF030B1245751CFDB389F64E490862B7F4BF14359320A97EE1DAA2652C7319848DF10

Function 00EF2A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00EF2A66

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: b6fef06edc21edffe766d858934b2feae265b88bf8fdde8aa62f27f30927174c
Instruction ID: e4f2b36341501a7e02035652e3a4737ef6584017db0c5042e3be3d6262ca66b5
Opcode Fuzzy Hash: b6fef06edc21edffe766d858934b2feae265b88bf8fdde8aa62f27f30927174c
Instruction Fuzzy Hash: AEE04F7635451AAAC714EE30ED809FA739CEB50395710553EAE1AE2140EB309A96D6A0

Function 00E630F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 00E6314E

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 4004b2aef952be74fe5d0c087c315d4cc0bf0238c70a9fdea14973cf1d222083
Instruction ID: 90b121118e2ec5ecd1fa3c3500f17bfbcb1ab5d1a274bd60b7098ddc5964fe9c
Opcode Fuzzy Hash: 4004b2aef952be74fe5d0c087c315d4cc0bf0238c70a9fdea14973cf1d222083
Instruction Fuzzy Hash: 4FF030709143189FEB529F24DC8A7DA7BFCBB0171CF1001E9A688A7292DB745B88CF51

Function 00E62DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00E62DC4

Part of subcall function 00E66B57: _wcslen.LIBCMT ref: 00E66B6A

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 5a524e347ff6d2e1a101db84258520a641453a555be745ceab6b5ab45bed8ade
Instruction ID: 2ac1443f7c362bc42dda3fd79bcb088c29ab50ac0bf48b87e530a70446acc6a8
Opcode Fuzzy Hash: 5a524e347ff6d2e1a101db84258520a641453a555be745ceab6b5ab45bed8ade
Instruction Fuzzy Hash: D2E0CD766001245FC71096589C05FEA77DDDFC87D0F0440B1FD09F7258D960BD84C550

Function 00E62B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00E63837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00E63908

Part of subcall function 00E6D730: GetInputState.USER32 ref: 00E6D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00E62B6B

Part of subcall function 00E630F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00E6314E

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: b561989d2323adf542ed8964be33b56e9e27bf5cea3cb655b5d472c7fc93a05e
Instruction ID: 6efec5315ef91a5ae521d88537d2f9e09bf7cfeca9aad4072a2f7d054cc9e256
Opcode Fuzzy Hash: b561989d2323adf542ed8964be33b56e9e27bf5cea3cb655b5d472c7fc93a05e
Instruction Fuzzy Hash: 2FE0862174424806C608BB75B8565BDF7D9DBE63E5F40353EF542B31A3CE2445499252

Function 00EA039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00EA0704,?,?,00000000,?,00EA0704,00000000,0000000C), ref: 00EA03B7

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 6e06db66dbf498d1ff4d2b88c1df48f9b9fb029734000eb3859c5b66925374ff
Instruction ID: cf4505c9ba2d9a22e0517310d5cb52ef6ce2bafb35e372ed95166a63438297a2
Opcode Fuzzy Hash: 6e06db66dbf498d1ff4d2b88c1df48f9b9fb029734000eb3859c5b66925374ff
Instruction Fuzzy Hash: 66D06C3204010DBFDF028F85DD06EDA3BAAFB88714F114000BE5866020C732E831EB90

Function 00E61CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00E61CBC

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: b012c9926ff27269296f040747505dcfeb8b8933bd216e0efb0c1c7346ea2bac
Instruction ID: f695165bfb17ac1ab3ea6892876d8b47f6ae73a57bfbd46ec7fa6f69d3861f16
Opcode Fuzzy Hash: b012c9926ff27269296f040747505dcfeb8b8933bd216e0efb0c1c7346ea2bac
Instruction Fuzzy Hash: F0C09B3528030CDFF2544780BD4AF107755B34CB11F144001F609655E3C3A11414F650

Non-executed Functions

Function 00EF9576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00E79BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E79BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00EF961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00EF965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00EF969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00EF96C9
SendMessageW.USER32 ref: 00EF96F2
GetKeyState.USER32(00000011), ref: 00EF978B
GetKeyState.USER32(00000009), ref: 00EF9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00EF97AE
GetKeyState.USER32(00000010), ref: 00EF97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00EF97E9
SendMessageW.USER32 ref: 00EF9810
SendMessageW.USER32(?,00001030,?,00EF7E95), ref: 00EF9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00EF992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00EF9941
SetCapture.USER32(?), ref: 00EF994A
ClientToScreen.USER32(?,?), ref: 00EF99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00EF99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00EF99D6
ReleaseCapture.USER32 ref: 00EF99E1
GetCursorPos.USER32(?), ref: 00EF9A19
ScreenToClient.USER32(?,?), ref: 00EF9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00EF9A80
SendMessageW.USER32 ref: 00EF9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00EF9AEB
SendMessageW.USER32 ref: 00EF9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00EF9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00EF9B4A
GetCursorPos.USER32(?), ref: 00EF9B68
ScreenToClient.USER32(?,?), ref: 00EF9B75
GetParent.USER32(?), ref: 00EF9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00EF9BFA
SendMessageW.USER32 ref: 00EF9C2B
ClientToScreen.USER32(?,?), ref: 00EF9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00EF9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00EF9CDE
SendMessageW.USER32 ref: 00EF9D01
ClientToScreen.USER32(?,?), ref: 00EF9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00EF9D82

Part of subcall function 00E79944: GetWindowLongW.USER32(?,000000EB), ref: 00E79952

GetWindowLongW.USER32(?,000000F0), ref: 00EF9E05

Strings

F, xrefs: 00EF9D07
@GUI_DRAGID, xrefs: 00EF997D

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 6247171cca338b601943927ad02fdbd6c25e6b7b38b6febb44da7f2c6a9f564d
Instruction ID: a6d99fe094aa400b4f0b8a7c941695cf47a31ab7a63b613c7d36f53a8612439e
Opcode Fuzzy Hash: 6247171cca338b601943927ad02fdbd6c25e6b7b38b6febb44da7f2c6a9f564d
Instruction Fuzzy Hash: 0A428D30204248AFD724CF24CC44BBABBE5FF88724F255619F699E72A2D7319854DF52

Function 00EF4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00EF48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00EF4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00EF4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00EF494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00EF495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00EF497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00EF49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00EF49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00EF4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00EF4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00EF4A7E
IsMenu.USER32(?), ref: 00EF4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00EF4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00EF4B20
GetWindowLongW.USER32(?,000000F0), ref: 00EF4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00EF4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00EF4C82
wsprintfW.USER32 ref: 00EF4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00EF4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00EF4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00EF4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00EF4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00EF4D5A

Strings

%d/%02d/%02d, xrefs: 00EF4CA8

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 00035f2b594ea0beeb522407dda034c902d4a4e613168daf187c848064ffffd3
Instruction ID: 9b4e8dffb0cd18c58182aa65eab2ada02963114055bc6002c87f754af4cdad3a
Opcode Fuzzy Hash: 00035f2b594ea0beeb522407dda034c902d4a4e613168daf187c848064ffffd3
Instruction Fuzzy Hash: 0B12E0B1600258ABEB248F29CC49FBF7BE8EF85714F206119F619FA1E1D7749A40CB50

Function 00E7F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00E7F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00EBF474
IsIconic.USER32(00000000), ref: 00EBF47D
ShowWindow.USER32(00000000,00000009), ref: 00EBF48A
SetForegroundWindow.USER32(00000000), ref: 00EBF494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00EBF4AA
GetCurrentThreadId.KERNEL32 ref: 00EBF4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00EBF4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 00EBF4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00EBF4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00EBF4DE
SetForegroundWindow.USER32(00000000), ref: 00EBF4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 00EBF4F6
keybd_event.USER32(00000012,00000000), ref: 00EBF501
MapVirtualKeyW.USER32(00000012,00000000), ref: 00EBF50B
keybd_event.USER32(00000012,00000000), ref: 00EBF510
MapVirtualKeyW.USER32(00000012,00000000), ref: 00EBF519
keybd_event.USER32(00000012,00000000), ref: 00EBF51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 00EBF528
keybd_event.USER32(00000012,00000000), ref: 00EBF52D
SetForegroundWindow.USER32(00000000), ref: 00EBF530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 00EBF557

Strings

Shell_TrayWnd, xrefs: 00EBF46F

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 6d0b5694ecdecdf28e6869992220305103261ac4c63ce9935243b887c6a25c40
Instruction ID: d3b6af7a2ead75d6ef86a8885960eb56785b49d3ea52fc1a5b8a5cb03d7ed9fe
Opcode Fuzzy Hash: 6d0b5694ecdecdf28e6869992220305103261ac4c63ce9935243b887c6a25c40
Instruction Fuzzy Hash: 58313071A4021CBEEB206BB65D4AFBF7E6CEB84B50F211066F605F61D1C6B19D00EA61

Function 00EC1201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00EC16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00EC170D
Part of subcall function 00EC16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00EC173A
Part of subcall function 00EC16C3: GetLastError.KERNEL32 ref: 00EC174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00EC1286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00EC12A8
CloseHandle.KERNEL32(?), ref: 00EC12B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00EC12D1
GetProcessWindowStation.USER32 ref: 00EC12EA
SetProcessWindowStation.USER32(00000000), ref: 00EC12F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00EC1310

Part of subcall function 00EC10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00EC11FC), ref: 00EC10D4
Part of subcall function 00EC10BF: CloseHandle.KERNEL32(?,?,00EC11FC), ref: 00EC10E9

Strings

winsta0, xrefs: 00EC12CC
default, xrefs: 00EC130B
, xrefs: 00EC125A

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: 2fddb276cd3c78fc97af07be60d6d1385b7138db12558f6da52c9be8eb6b14e7
Instruction ID: c6dcee78c0dd0023ebdafa8e6688e54912d2d16449b1e6883ff5fb4187647327
Opcode Fuzzy Hash: 2fddb276cd3c78fc97af07be60d6d1385b7138db12558f6da52c9be8eb6b14e7
Instruction Fuzzy Hash: 7E81AD71900209AFDF259FA4DE49FEE7BB9FF45704F2451A9F920B21A1D7328946CB20

Function 00EC0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00EC1114
Part of subcall function 00EC10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00EC0B9B,?,?,?), ref: 00EC1120
Part of subcall function 00EC10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00EC0B9B,?,?,?), ref: 00EC112F
Part of subcall function 00EC10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00EC0B9B,?,?,?), ref: 00EC1136
Part of subcall function 00EC10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00EC114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00EC0BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00EC0C00
GetLengthSid.ADVAPI32(?), ref: 00EC0C17
GetAce.ADVAPI32(?,00000000,?), ref: 00EC0C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00EC0C6D
GetLengthSid.ADVAPI32(?), ref: 00EC0C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00EC0C8C
HeapAlloc.KERNEL32(00000000), ref: 00EC0C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00EC0CB4
CopySid.ADVAPI32(00000000), ref: 00EC0CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00EC0CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00EC0D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00EC0D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00EC0D45
HeapFree.KERNEL32(00000000), ref: 00EC0D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00EC0D55
HeapFree.KERNEL32(00000000), ref: 00EC0D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00EC0D65
HeapFree.KERNEL32(00000000), ref: 00EC0D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00EC0D78
HeapFree.KERNEL32(00000000), ref: 00EC0D7F

Part of subcall function 00EC1193: GetProcessHeap.KERNEL32(00000008,00EC0BB1,?,00000000,?,00EC0BB1,?), ref: 00EC11A1
Part of subcall function 00EC1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00EC0BB1,?), ref: 00EC11A8
Part of subcall function 00EC1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00EC0BB1,?), ref: 00EC11B7

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 35b1bbb922e3445ce29190c76a5fc97c87b0fb73118c483f1f4bf1ba1febfa12
Instruction ID: bd579a6c8e601698983cd62858e72b8bbf1c83855da41e53b41320807446433e
Opcode Fuzzy Hash: 35b1bbb922e3445ce29190c76a5fc97c87b0fb73118c483f1f4bf1ba1febfa12
Instruction Fuzzy Hash: B3719D7190020AEFDF10DFA5DE44FAEBBB8BF44704F244519E915B6291D772A906CB60

Function 00EDEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00EFCC08), ref: 00EDEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 00EDEB37
GetClipboardData.USER32(0000000D), ref: 00EDEB43
CloseClipboard.USER32 ref: 00EDEB4F
GlobalLock.KERNEL32(00000000), ref: 00EDEB87
CloseClipboard.USER32 ref: 00EDEB91
GlobalUnlock.KERNEL32(00000000), ref: 00EDEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 00EDEBC9
GetClipboardData.USER32(00000001), ref: 00EDEBD1
GlobalLock.KERNEL32(00000000), ref: 00EDEBE2
GlobalUnlock.KERNEL32(00000000), ref: 00EDEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 00EDEC38
GetClipboardData.USER32(0000000F), ref: 00EDEC44
GlobalLock.KERNEL32(00000000), ref: 00EDEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00EDEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00EDEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00EDECD2
GlobalUnlock.KERNEL32(00000000), ref: 00EDECF3
CountClipboardFormats.USER32 ref: 00EDED14
CloseClipboard.USER32 ref: 00EDED59

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 70296211c3921224e58d6f0f5654c5e16e8de7323536e7fe137dd7fec0f4aac5
Instruction ID: 5b499ab15cf871314e96f5145b97aabaf052721469c1371cf2e3d36adefa5bd1
Opcode Fuzzy Hash: 70296211c3921224e58d6f0f5654c5e16e8de7323536e7fe137dd7fec0f4aac5
Instruction Fuzzy Hash: E061C2342042059FD310EF20D988F7A77E4EF84758F24655AF456BB3A2CB31E90ACB62

Function 00ED698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00ED69BE
FindClose.KERNEL32(00000000), ref: 00ED6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00ED6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00ED6A75

Part of subcall function 00E69CB3: _wcslen.LIBCMT ref: 00E69CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00ED6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00ED6ADF

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00ED6B6A
%02d, xrefs: 00ED6C00, 00ED6C0A, 00ED6C5A, 00ED6CAA, 00ED6CFA, 00ED6D4A
%03d, xrefs: 00ED6DA2
%4d, xrefs: 00ED6BB1
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00ED6B32

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 9c7f83aed65039da6abd7a25d79d0f153df71e9e38a9b9b9ba9af1eeff74460f
Instruction ID: d83d89fd8ad352c8897410a359f09d8f452717c69a49e6992d26f6c74043a071
Opcode Fuzzy Hash: 9c7f83aed65039da6abd7a25d79d0f153df71e9e38a9b9b9ba9af1eeff74460f
Instruction Fuzzy Hash: E3D17171548300AFC314EBA0D991EABB7ECEF88704F04591EF585E7291EB74DA48CB62

Function 00ED9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00ED9663
GetFileAttributesW.KERNEL32(?), ref: 00ED96A1
SetFileAttributesW.KERNEL32(?,?), ref: 00ED96BB
FindNextFileW.KERNEL32(00000000,?), ref: 00ED96D3
FindClose.KERNEL32(00000000), ref: 00ED96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 00ED96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 00ED974A
SetCurrentDirectoryW.KERNEL32(00F26B7C), ref: 00ED9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00ED9772
FindClose.KERNEL32(00000000), ref: 00ED977F
FindClose.KERNEL32(00000000), ref: 00ED978F

Strings

*.*, xrefs: 00ED96F5

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 503399fbfc1b1424c756a17525a94180ecad5232eaba34b12d177389602f435a
Instruction ID: 9c9a45da746bc64b234a60b7f03072424e56b2701581a13d8ad218929a5ca438
Opcode Fuzzy Hash: 503399fbfc1b1424c756a17525a94180ecad5232eaba34b12d177389602f435a
Instruction Fuzzy Hash: E631CE3254161D6EDB14AFB5ED08AEE77ACEF89324F205197E814F22B1DB30DA49CB10

Function 00ED979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00ED97BE
FindNextFileW.KERNEL32(00000000,?), ref: 00ED9819
FindClose.KERNEL32(00000000), ref: 00ED9824
FindFirstFileW.KERNEL32(*.*,?), ref: 00ED9840
SetCurrentDirectoryW.KERNEL32(?), ref: 00ED9890
SetCurrentDirectoryW.KERNEL32(00F26B7C), ref: 00ED98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 00ED98B8
FindClose.KERNEL32(00000000), ref: 00ED98C5
FindClose.KERNEL32(00000000), ref: 00ED98D5

Part of subcall function 00ECDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00ECDB00

Strings

*.*, xrefs: 00ED983B

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 277a02959a7c7ed204cc38ea9e25527ca691aaa5b515914c9087ab89dca9a535
Instruction ID: 7f4f68f794cd9501d26edad983df2ba26ab84846b18b12b59cfca28daf9711c0
Opcode Fuzzy Hash: 277a02959a7c7ed204cc38ea9e25527ca691aaa5b515914c9087ab89dca9a535
Instruction Fuzzy Hash: 9031053654061D6EEF14AFB5EC48AEE73ACDF46724F205156E804F22B1DB31D94ADB20

Function 00EEBE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00EEC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00EEB6AE,?,?), ref: 00EEC9B5
Part of subcall function 00EEC998: _wcslen.LIBCMT ref: 00EEC9F1
Part of subcall function 00EEC998: _wcslen.LIBCMT ref: 00EECA68
Part of subcall function 00EEC998: _wcslen.LIBCMT ref: 00EECA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00EEBF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 00EEBFA9
RegCloseKey.ADVAPI32(00000000), ref: 00EEBFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00EEC02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00EEC0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00EEC154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00EEC1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 00EEC23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00EEC2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00EEC382
RegCloseKey.ADVAPI32(00000000), ref: 00EEC38F

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 77f81a0294323038a6f85957dc0d2f0218d74b8ed5c6834517def82c0e5a7eef
Instruction ID: b613ddacb962c8f59dbb95b37bc95a2da25ec8ac8f714ac105fcb6b5565d9ef1
Opcode Fuzzy Hash: 77f81a0294323038a6f85957dc0d2f0218d74b8ed5c6834517def82c0e5a7eef
Instruction Fuzzy Hash: B50282716042449FC714CF25C895E2AB7E5EF89318F28D49DF84AEB2A2DB31EC46CB51

Function 00ED8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00ED8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00ED8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00ED8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00ED8310
SetCurrentDirectoryW.KERNEL32(?), ref: 00ED8324
SetCurrentDirectoryW.KERNEL32(?), ref: 00ED8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00ED838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00ED8395

Strings

*.*, xrefs: 00ED839B

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 6ee72774031b538e8eb6960cc3245fc44467ce40144a49db6d134651e35db95c
Instruction ID: e46ec1deee45e6d6c7807630c0661fd3047cff56f37f55298a7a9224550817eb
Opcode Fuzzy Hash: 6ee72774031b538e8eb6960cc3245fc44467ce40144a49db6d134651e35db95c
Instruction Fuzzy Hash: DA618C725043459FC710EF60D9409AEB3E8FF89314F14591EF989E7261EB31E94ACB92

Function 00ECD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00E63AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E63A97,?,?,00E62E7F,?,?,?,00000000), ref: 00E63AC2

Part of subcall function 00ECE199: GetFileAttributesW.KERNEL32(?,00ECCF95), ref: 00ECE19A

FindFirstFileW.KERNEL32(?,?), ref: 00ECD122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00ECD1DD
MoveFileW.KERNEL32(?,?), ref: 00ECD1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 00ECD20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 00ECD237

Part of subcall function 00ECD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00ECD21C,?,?), ref: 00ECD2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 00ECD253
FindClose.KERNEL32(00000000), ref: 00ECD264

Strings

\*.*, xrefs: 00ECD0CD, 00ECD0D6, 00ECD0EB

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: e767bdf453643b7f4ad39d6389d84fcbdf0969effafecda66d865adfbed219c0
Instruction ID: 4ce69c977e493edf2047480825a7503c14ddfa482bedfa2b5ef901844680c8f4
Opcode Fuzzy Hash: e767bdf453643b7f4ad39d6389d84fcbdf0969effafecda66d865adfbed219c0
Instruction Fuzzy Hash: 40617E3184510D9ECF09EBE0EE52EEDB7B9AF55344F246069E401771A2EB325F0ADB60

Function 00EDED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00EDED91
EmptyClipboard.USER32 ref: 00EDED97
GlobalAlloc.KERNEL32(00000002,?), ref: 00EDEDAC
CloseClipboard.USER32 ref: 00EDEEA3

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: f7f2b7de22385f38541baeebb764567c85227974d310fdb32ee5b7c3b653d4d4
Instruction ID: 619343253a4ebed62ce3359a80b72a99f10ed559c0115eb75a0a9464428c76b5
Opcode Fuzzy Hash: f7f2b7de22385f38541baeebb764567c85227974d310fdb32ee5b7c3b653d4d4
Instruction Fuzzy Hash: ED419F352046119FE310DF15D888B29BBE1EF44318F25D09AE859AF762C775EC46CB90

Function 00ECE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00EC170D
Part of subcall function 00EC16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00EC173A
Part of subcall function 00EC16C3: GetLastError.KERNEL32 ref: 00EC174A

ExitWindowsEx.USER32(?,00000000), ref: 00ECE932

Strings

SeShutdownPrivilege, xrefs: 00ECE902
@, xrefs: 00ECE925
, xrefs: 00ECE920
, xrefs: 00ECE95C

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 864a011d041963d55d4caefdcd56be37a2a5ce12868c0ec14fb20f45fc915740
Instruction ID: 17b614b60374b872b8c489d6239e7fa0097a1a51c9dcf7db6c1efe6872bc918a
Opcode Fuzzy Hash: 864a011d041963d55d4caefdcd56be37a2a5ce12868c0ec14fb20f45fc915740
Instruction Fuzzy Hash: EA014E32610214AFFB5422759E86FFF729C9744744F241569FC03F32D2D5B25C46C290

Function 00EE1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00EE1276
WSAGetLastError.WSOCK32 ref: 00EE1283
bind.WSOCK32(00000000,?,00000010), ref: 00EE12BA
WSAGetLastError.WSOCK32 ref: 00EE12C5
closesocket.WSOCK32(00000000), ref: 00EE12F4
listen.WSOCK32(00000000,00000005), ref: 00EE1303
WSAGetLastError.WSOCK32 ref: 00EE130D
closesocket.WSOCK32(00000000), ref: 00EE133C

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: b8828e3d6620b440a6bc686dd87e8e36b771e3069e5d7a324e731958d4d00b60
Instruction ID: e3aa0b0d8c804e41d96cb376a69d76953f60360f04478ebddf1224c0bd8c2857
Opcode Fuzzy Hash: b8828e3d6620b440a6bc686dd87e8e36b771e3069e5d7a324e731958d4d00b60
Instruction Fuzzy Hash: 5941C5306001849FD714DF65D984B69B7E5BF8A318F2890C8D956AF2A2C771ECC5CBE1

Function 00E9B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00E9B9D4
_free.LIBCMT ref: 00E9B9F8
_free.LIBCMT ref: 00E9BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00F03700), ref: 00E9BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,00F3121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00E9BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00F31270,000000FF,?,0000003F,00000000,?), ref: 00E9BC36
_free.LIBCMT ref: 00E9BD4B

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 3a3903021a96ba7988d4c7c68c530513b3e139edb7511a72f6815754e2cffb38
Instruction ID: a4abc6ce7b9680a3b9661ddda4791961adb47cddce4f3e1d93368d6d569ad96d
Opcode Fuzzy Hash: 3a3903021a96ba7988d4c7c68c530513b3e139edb7511a72f6815754e2cffb38
Instruction Fuzzy Hash: 2DC13871904208AFDF20DF69AE41BAEBBF9EF41324F14619AE494F7291E7709E41C790

Function 00ECD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00E63AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E63A97,?,?,00E62E7F,?,?,?,00000000), ref: 00E63AC2

Part of subcall function 00ECE199: GetFileAttributesW.KERNEL32(?,00ECCF95), ref: 00ECE19A

FindFirstFileW.KERNEL32(?,?), ref: 00ECD420
DeleteFileW.KERNEL32(?,?,?,?), ref: 00ECD470
FindNextFileW.KERNEL32(00000000,00000010), ref: 00ECD481
FindClose.KERNEL32(00000000), ref: 00ECD498
FindClose.KERNEL32(00000000), ref: 00ECD4A1

Strings

\*.*, xrefs: 00ECD3F2

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 297a312d8bd4ce4a2e014995aaafbb775de758b025085c382187f164ad80b0c2
Instruction ID: 9ae7c7b2eb29c9b72e9071379cdecd4b05d7a18908d863684d940e600e50e449
Opcode Fuzzy Hash: 297a312d8bd4ce4a2e014995aaafbb775de758b025085c382187f164ad80b0c2
Instruction Fuzzy Hash: D131AF3104C3449FC204EF60E9519AF77E8BE91354F546A2DF4E5A31A1EB31AA09CB63

Function 00E9E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00E9E645

Strings

1#IND, xrefs: 00E9F83D
1#INF, xrefs: 00E9F852
1#QNAN, xrefs: 00E9F84B
1#SNAN, xrefs: 00E9F844

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: df56a21f5a5ed9001b4b0b4d21d0f5912a4ae071d73c6d2b4497a7be028b05ca
Instruction ID: 6e793025c89693e794410ee799189f369a7ab0646b3a378477c2fec2f4e9e4c9
Opcode Fuzzy Hash: df56a21f5a5ed9001b4b0b4d21d0f5912a4ae071d73c6d2b4497a7be028b05ca
Instruction Fuzzy Hash: 2DC23871E086288FDF29CE289D407EAB7B5EB48309F1551EAD94DF7241E774AE818F40

Function 00ED648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00ED64DC
CoInitialize.OLE32(00000000), ref: 00ED6639
CoCreateInstance.OLE32(00EFFCF8,00000000,00000001,00EFFB68,?), ref: 00ED6650
CoUninitialize.OLE32 ref: 00ED68D4

Strings

.lnk, xrefs: 00ED64BA, 00ED6524, 00ED65E0

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 46ba3d199a09601027e5286b1a6469659e7f7712cc03eaa8924597c0304b35ca
Instruction ID: 2581eb9f3b12fbf7ad887d3fac529a81aaa61f3f56ce4ffa1f700685bf62d3b0
Opcode Fuzzy Hash: 46ba3d199a09601027e5286b1a6469659e7f7712cc03eaa8924597c0304b35ca
Instruction Fuzzy Hash: 63D18B71608301AFC304EF24D88196BB7E8FF94748F10592DF595AB292DB71ED46CB92

Function 00EE22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00EE22E8

Part of subcall function 00EDE4EC: GetWindowRect.USER32(?,?), ref: 00EDE504

GetDesktopWindow.USER32 ref: 00EE2312
GetWindowRect.USER32(00000000), ref: 00EE2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00EE2355
GetCursorPos.USER32(?), ref: 00EE2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00EE23DF

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: ecede23a6e6bef002a918b8a757a544159bd5e76daea17eaa0edbe14160eb041
Instruction ID: 0f40470f9505d2ff9879f3a5f3b097ebfb15ab0b6d45ab52cea7134872a72ca6
Opcode Fuzzy Hash: ecede23a6e6bef002a918b8a757a544159bd5e76daea17eaa0edbe14160eb041
Instruction Fuzzy Hash: 6531DE7210434AAFCB20DF16C808B6BB7AAFB84714F10191DF984A7281DA34E909CB92

Function 00ED9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00E69CB3: _wcslen.LIBCMT ref: 00E69CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00ED9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00ED9C8B

Part of subcall function 00ED3874: GetInputState.USER32 ref: 00ED38CB
Part of subcall function 00ED3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00ED3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00ED9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00ED9C75

Strings

*.*, xrefs: 00ED9B5D

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: cb22d561c5b7e88e14d71534516b9c444328cff45ec0cfa637602ac71c9e3f94
Instruction ID: 1d02f7b0832c072b47da6ab6cd23ae33523febfb1b70bd486291f4e087671d46
Opcode Fuzzy Hash: cb22d561c5b7e88e14d71534516b9c444328cff45ec0cfa637602ac71c9e3f94
Instruction Fuzzy Hash: D6416D7194020AAFCF14DF64DD45AEEBBF8EF45354F245056E405B22A2EB309E45CF61

Function 00E7997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00E79BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E79BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00E79A4E
GetSysColor.USER32(0000000F), ref: 00E79B23
SetBkColor.GDI32(?,00000000), ref: 00E79B36

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: c62859efaa5421c58695c2bdbcb944e5a5f01a6d97c7fb743a53f7f38510a7c9
Instruction ID: 125729a4ce62d856a1a10b0a7d6d2e7d01fb633c13ecd09309451e1849f96a4c
Opcode Fuzzy Hash: c62859efaa5421c58695c2bdbcb944e5a5f01a6d97c7fb743a53f7f38510a7c9
Instruction Fuzzy Hash: CDA14C7010A418AEE7249A3C8C48EFB369DEFC2354F25A10AF546F6A97CA259D01D375

Function 00EE1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00EE307A
Part of subcall function 00EE304E: _wcslen.LIBCMT ref: 00EE309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00EE185D
WSAGetLastError.WSOCK32 ref: 00EE1884
bind.WSOCK32(00000000,?,00000010), ref: 00EE18DB
WSAGetLastError.WSOCK32 ref: 00EE18E6
closesocket.WSOCK32(00000000), ref: 00EE1915

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 0d113082b6d146c0089ec565e0176f0ca80bdafbc95a264af51587925d7ce004
Instruction ID: 6a8d81bb5e0e5aac8c133d23b754edc4bcd9f3189a7fe9541a8f3d3c31b6da26
Opcode Fuzzy Hash: 0d113082b6d146c0089ec565e0176f0ca80bdafbc95a264af51587925d7ce004
Instruction Fuzzy Hash: DB511670A402449FD710AF24D886F7A77E5AB84358F189088F95ABF3C3D771AD41CBA1

Function 00EF1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00EF1CC0
IsWindowEnabled.USER32 ref: 00EF1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00EF1CDB
IsIconic.USER32 ref: 00EF1CE9
IsZoomed.USER32 ref: 00EF1CF7

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 944ef73e11704111fd46d36e6e24f67edab1f502940a06853fb9a4c5f4aea695
Instruction ID: 5447e4ea11d3fa37ce503d8d4d07ddf16882d9fd243d35f5b03eeab44da4d15e
Opcode Fuzzy Hash: 944ef73e11704111fd46d36e6e24f67edab1f502940a06853fb9a4c5f4aea695
Instruction Fuzzy Hash: 0921B4317402089FD7248F1AD844B76BBE5AF85315B29A098E945EB351C771DC46CB90

Function 00E68060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00EA5DF0
VUUU, xrefs: 00E683FA
VUUU, xrefs: 00E683E8
ERCP, xrefs: 00E6813C
VUUU, xrefs: 00E6843C

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 63dcead24255ab5544c2e3fb0e4075d7f6a5f60eba0b50793ae1bcb6d512c257
Instruction ID: e1dd76ab8d6454ca1da31c2db5d74927448f3326b3bf20b76226abffa0cf9cf0
Opcode Fuzzy Hash: 63dcead24255ab5544c2e3fb0e4075d7f6a5f60eba0b50793ae1bcb6d512c257
Instruction Fuzzy Hash: 06A29171E4021ACBDF24CF58D9407EEB7B1BF59354F24929AE815BB285DB30AD81CB50

Function 00ECAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00ECAAAC
SetKeyboardState.USER32(00000080), ref: 00ECAAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00ECAB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00ECAB88

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: cc0b1ae2f918fcd521a222d4744ceda08591ab42dd67288a521511f3adf0f284
Instruction ID: 9a3daea1d62e65a89ac91dc6793f6d82dd16f4748508801553128fe5277b8b38
Opcode Fuzzy Hash: cc0b1ae2f918fcd521a222d4744ceda08591ab42dd67288a521511f3adf0f284
Instruction Fuzzy Hash: D6310970A4020CAEEB358A65CE05FFA77B6AB44318F18522EF181B61D1D7768D86C752

Function 00EDCE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 00EDCE89
GetLastError.KERNEL32(?,00000000), ref: 00EDCEEA
SetEvent.KERNEL32(?,?,00000000), ref: 00EDCEFE

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 9f7d0cb4faa38a0839f01ac8e570269804c2f110864725ec59cc484bc04edc4b
Instruction ID: 690f41f4830d8add39af0bdb55981d07f2ff0cb15f78f28a8305d2280dd8bd21
Opcode Fuzzy Hash: 9f7d0cb4faa38a0839f01ac8e570269804c2f110864725ec59cc484bc04edc4b
Instruction Fuzzy Hash: 3721AEB16007069FE7209FA5C944BAA77FCEB40398F30541AE946E2251E770E906DB50

Function 00EC8298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00EC82AA

Strings

|, xrefs: 00EC82DA
(, xrefs: 00EC82F0

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: c8bc39fdf2d79f94c8f42216bb0ac1e78a79341119fcf2bb636eb543de97cfdc
Instruction ID: 702695d572767705d4d0585fd9f1c08329c9659b6243782ccba979f086c62703
Opcode Fuzzy Hash: c8bc39fdf2d79f94c8f42216bb0ac1e78a79341119fcf2bb636eb543de97cfdc
Instruction Fuzzy Hash: 59323775A006059FC728CF19C680E6AB7F0FF48714B11D56EE49AEB3A1EB70E942CB40

Function 00ED5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00ED5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00ED5D17
FindClose.KERNEL32(?), ref: 00ED5D5F

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 79e5a947c7f87150492e7a1589d08f68e1ba43817aff2811db3caab367cf790b
Instruction ID: 00e1202570a7d8a2566354ea2ac028bc2307ef08b9f960ed08ac324bb31caa71
Opcode Fuzzy Hash: 79e5a947c7f87150492e7a1589d08f68e1ba43817aff2811db3caab367cf790b
Instruction Fuzzy Hash: 6651BC35600A019FC714CF28D484EAAB7E4FF49318F24955EE99A9B3A1CB30EC05CFA1

Function 00E92622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00E9271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00E92724
UnhandledExceptionFilter.KERNEL32(?), ref: 00E92731

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 4a05f6da2069d2a9af996e462d20e3b10b6f59c39ac672301dc4631a217c8271
Instruction ID: 4b6dc396ed0472a0656a166667a9892714e90dbf7e05c96b5e62605dff873636
Opcode Fuzzy Hash: 4a05f6da2069d2a9af996e462d20e3b10b6f59c39ac672301dc4631a217c8271
Instruction Fuzzy Hash: 8131C27490121CABCB21DF68DD8879CBBB8AF08310F6051EAE91CB6261E7309F858F44

Function 00ED51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00ED51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00ED5238
SetErrorMode.KERNEL32(00000000), ref: 00ED52A1

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 8a1b316e488fe564be680dc9661c854398901b7ed765d991d3bb227d561cf242
Instruction ID: 78260a372cc943ed6209634b35108419059adafbb5c3b0c8d7989cef2f5085d0
Opcode Fuzzy Hash: 8a1b316e488fe564be680dc9661c854398901b7ed765d991d3bb227d561cf242
Instruction Fuzzy Hash: 8C314175A00518DFDB00DF54D884EADBBF5FF49318F189099E845AB362DB31E85ACB90

Function 00EC16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00E7FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00E80668
Part of subcall function 00E7FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00E80685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00EC170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00EC173A
GetLastError.KERNEL32 ref: 00EC174A

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: c1fb44472b26cc29ed405b4efffe1641b62ed996094a28b0dc5bb022daba2800
Instruction ID: 673e55cec74472141419d18359a8b00737fb19785611e98f4a1c6600fa594d2b
Opcode Fuzzy Hash: c1fb44472b26cc29ed405b4efffe1641b62ed996094a28b0dc5bb022daba2800
Instruction Fuzzy Hash: E211C1B2500308FFD7289F54DD86E6AB7F9EB45714B20856EE05663241EB71BC42CB20

Function 00ECD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00ECD608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00ECD645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00ECD650

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 5cb109242442644dc1a8a667c8f1b777967075c849776f22599de7845e3f9aa3
Instruction ID: d7bc84b850e40a0b2c1fafb6e0eab2b4e969e8c46bab279b42f5539516708c06
Opcode Fuzzy Hash: 5cb109242442644dc1a8a667c8f1b777967075c849776f22599de7845e3f9aa3
Instruction Fuzzy Hash: DF1170B1E05228BFDB108F959D44FAFBBBCEB45B50F208125F904F7290C2704A05CBA1

Function 00EC1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00EC168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00EC16A1
FreeSid.ADVAPI32(?), ref: 00EC16B1

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: b7faf7c8c31be8734794b2d06784e55342e991e1799fdad725b1801b4e3505a6
Instruction ID: 8dfad69924ef9bd31f366a544d7636960ccbb96eebefbdbbc5e66f36ffc032bd
Opcode Fuzzy Hash: b7faf7c8c31be8734794b2d06784e55342e991e1799fdad725b1801b4e3505a6
Instruction Fuzzy Hash: C6F0447194030CFFDB00CFE08D89EAEBBBCEB08204F2048A4E500E2181E730AA089A50

Function 00E9C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 00E9C36C

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 865d8af6eedab8abd8768072b80ff852bbb368823f126e2d191b4fedde8e29c3
Instruction ID: 1d1f37463ad2af86cb3874d984782985eb75e4a345d7940ab902629657a4f64a
Opcode Fuzzy Hash: 865d8af6eedab8abd8768072b80ff852bbb368823f126e2d191b4fedde8e29c3
Instruction Fuzzy Hash: 13414B72500619AFCF20EFB9CC48DBB77B8EB84358F6042A9F905E7180E6709D81CB50

Function 00EBD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00EBD28C

Strings

X64, xrefs: 00EBD2A8

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 82adc534a6b1c07dd632f7998fdd969b3d901e18541168beb614a01e496b7059
Instruction ID: 63fb96c82167815865354720312c21e3cda7cdc5e5a87992783d43689d914299
Opcode Fuzzy Hash: 82adc534a6b1c07dd632f7998fdd969b3d901e18541168beb614a01e496b7059
Instruction Fuzzy Hash: 4AD0C9B480511DEECB94CB90DC88DDAB37CBF04305F205155F106B2000DB3095498F10

Function 00E8CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 1d3f515b954367f98f020b4034e146007427142f817b9708040be8b7b94c9670
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 8D020A71E002199BDF14DFA9C8806ADFBF1EF49314F25916AE91DFB280D731AA41CB94

Function 00ED68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00ED6918
FindClose.KERNEL32(00000000), ref: 00ED6961

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 7cbb0d907bc0315d7758c77cbcd9d9ff19dbdbf16d581c472827cc22c3a1147e
Instruction ID: f9310921991fd1f0977cff7541c3ae7c4085a991381e480aa3d260272ce108a0
Opcode Fuzzy Hash: 7cbb0d907bc0315d7758c77cbcd9d9ff19dbdbf16d581c472827cc22c3a1147e
Instruction Fuzzy Hash: 1D1190316046409FD710DF69D488A26BBE5FFC9328F14D69AE4699F3A2C730EC06CB91

Function 00ED37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00EE4891,?,?,00000035,?), ref: 00ED37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00EE4891,?,?,00000035,?), ref: 00ED37F4

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 57b8fe6dd0288eff2ae01d5971cad666262c135064dcd03b9368150361e9450b
Instruction ID: 602decf2f53eaa1d5148a65d244519d0518143d128b93177547b524791dd2e04
Opcode Fuzzy Hash: 57b8fe6dd0288eff2ae01d5971cad666262c135064dcd03b9368150361e9450b
Instruction Fuzzy Hash: 69F055B07012292EE72013B68C4CFEB3AAEEFC47A0F100163F508F2281C9609908C6B0

Function 00ECB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00ECB25D
keybd_event.USER32(?,7694C0D0,?,00000000), ref: 00ECB270

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 85ebb98e75f14e32689d46f80f3ea61ba2b10116fe3a4f498b2860785639848f
Instruction ID: 06ded0617d948dc3d0d55399fc8e203706dd16b116769b0294baaef0cb430422
Opcode Fuzzy Hash: 85ebb98e75f14e32689d46f80f3ea61ba2b10116fe3a4f498b2860785639848f
Instruction Fuzzy Hash: F1F01D7180424DAFDB059FA1C906BFE7BB4FF08309F10940AF955A51A1C3799615DF94

Function 00EC10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00EC11FC), ref: 00EC10D4
CloseHandle.KERNEL32(?,?,00EC11FC), ref: 00EC10E9

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: adc87fc3d7cd35c0203b3657d99ecfbc08976385bae98e9ebe03e565887bb8ee
Instruction ID: 9bae42c26d9c5622317596ebeb48179f596bd2a34b65864b6b9701719e93aa6e
Opcode Fuzzy Hash: adc87fc3d7cd35c0203b3657d99ecfbc08976385bae98e9ebe03e565887bb8ee
Instruction Fuzzy Hash: F5E0BF72018610AEE7252B51FD05F7777E9EF04320F24C86DF5A5904B1DB626C91DB54

Function 00E6CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00EB0C40

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: e92bb1aa8947741f9e40d60b606f9cbb5f76132218597981226fdd3619cd14db
Instruction ID: 3d1db921c466dd925040ca56c27f61b8b388cb07f98f544b7a9a97465979b4cd
Opcode Fuzzy Hash: e92bb1aa8947741f9e40d60b606f9cbb5f76132218597981226fdd3619cd14db
Instruction Fuzzy Hash: 05328F70A40218DBCF14DF90E885AFEB7F5BF04388F24A069E846BB292D775AD45CB51

Function 00E9676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00E96766,?,?,00000008,?,?,00E9FEFE,00000000), ref: 00E96998

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: f189e87bb20cdca1d2bef4820f5e0eb74bc39684f09368ea51746bc3fd3b23f6
Instruction ID: c1202090567a59d788eb06afab9280e2ac33faac2d8c4bbb740115cb4c9726d7
Opcode Fuzzy Hash: f189e87bb20cdca1d2bef4820f5e0eb74bc39684f09368ea51746bc3fd3b23f6
Instruction Fuzzy Hash: 82B16E71610608DFDB19CF28C48ABA57BE0FF45368F25D65AE899DF2A2C335D981CB40

Function 00E7B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 00EB851F

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: e442fcc5ed1f06e4d9e128594baaf003e04884e4887b3508e2ab8657ab4173b3
Instruction ID: 6358c52ced5ebf56a086f5455d32c3219783edb6d7e81ba22a095604d565b086
Opcode Fuzzy Hash: e442fcc5ed1f06e4d9e128594baaf003e04884e4887b3508e2ab8657ab4173b3
Instruction Fuzzy Hash: 571251759002299BCB24CF58C9807EEB7F5FF48710F14919AE849FB255EB749E81CB90

Function 00EDEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00EDEABD

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: e478783bff1138f96968e5738a87b594feb9158cc24992b251f03653ca44ab1a
Instruction ID: 0eb05a33525f4c267b5da3fb2801c86b1eb94fa3db1e19262394c8a6dc7db504
Opcode Fuzzy Hash: e478783bff1138f96968e5738a87b594feb9158cc24992b251f03653ca44ab1a
Instruction Fuzzy Hash: 5EE012312002059FC710EF59D404D9AB7D9EF987A4F109416FC45EB351D670A8458B90

Function 00E809D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00E803EE), ref: 00E809DA

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 6159c517cd0c9db8f6ef7c1f2b2b0b59a93ac4f9dac9e2b7f4e72d8281e55122
Instruction ID: 795ac02d112859ab49f89cd6b35c5d1af2194ac0ffc6cfe0f1dbb5874e89439d
Opcode Fuzzy Hash: 6159c517cd0c9db8f6ef7c1f2b2b0b59a93ac4f9dac9e2b7f4e72d8281e55122
Instruction Fuzzy Hash:

Function 00E8781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 00E8798B

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 3cc61938671e0e47e1c351c395fc9144648bcb65c8698ea6c3444c813b15831b
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: E551A52160C7155BDB3CB968898E7FE27C99B82388F383409D8CEF7282DA11DE41D352

Function 00E96DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a87a5b14680cb9a8ba19fdbbe71be3e1b284a1bdafa6ecc61fec7e553ab58f0
Instruction ID: 61173f0c2c2152437657e228ec1ae1dd6c805f8f36930d0e37eae45b1e50fe61
Opcode Fuzzy Hash: 4a87a5b14680cb9a8ba19fdbbe71be3e1b284a1bdafa6ecc61fec7e553ab58f0
Instruction Fuzzy Hash: 29323322D79F014DDB639634CC26336A289BFB73C5F15E737E85AB59A6EB28C4835100

Function 00E7CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 835ea0966c74a1fff0c55d924643937ca9ded9cb430b7b30c6e684c05c69c134
Instruction ID: cfbbc8c06dc705886feb8a7bf491e87a51febef7ca1a3f958237d2318702e7d7
Opcode Fuzzy Hash: 835ea0966c74a1fff0c55d924643937ca9ded9cb430b7b30c6e684c05c69c134
Instruction Fuzzy Hash: D6322731A081198BDF39CF28C4D06FEBBA5EB45308F38A56AD45AFB291D634DD81DB41

Function 00E67920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e2a7697a7f2a263d38b5f36d37271a450621da40e5d2b32e9142d645ea1a94c
Instruction ID: aa00d89a1333e055b055289d945c1d55a8316cd72481e8618961decd82cce70f
Opcode Fuzzy Hash: 0e2a7697a7f2a263d38b5f36d37271a450621da40e5d2b32e9142d645ea1a94c
Instruction Fuzzy Hash: 5D22DFB1A006099FDF14CFA4D841AEEB3F6FF49344F206129E856BB291EB35AD15CB50

Function 00E691C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35db28b225f55fa3d1577a5187d108929175cf6231ef952daead4f1873afc730
Instruction ID: c39a5938b4e75b46bd14e11db490089a1e2a70046019e01c2d1fd3feb85f1c82
Opcode Fuzzy Hash: 35db28b225f55fa3d1577a5187d108929175cf6231ef952daead4f1873afc730
Instruction Fuzzy Hash: F902B7B0A00109EBDB14DF64D881AAEB7F5FF49354F119169E80ABB391E731AE11CB91

Function 00E99EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ad09b276d87a16badc7d040b69f40ffb7d35b1e0d77753b5056367fd2a750eb
Instruction ID: 25717555a3555b38bafc081529887ef82dc874baaf187572c5ac77679844e949
Opcode Fuzzy Hash: 7ad09b276d87a16badc7d040b69f40ffb7d35b1e0d77753b5056367fd2a750eb
Instruction Fuzzy Hash: 16B11220E2AF444DD72396398871336B65CBFBB6D5F92D31BFC2674D62EB2286835140

Function 00E87A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d42b98b104c7d552bd3ab179e8297668bd99fa33a079a05f8fd984374424545
Instruction ID: 1fb7e82ada5dd29181a2ec6349b5a89d927538a6623c6586a580c277a61038cf
Opcode Fuzzy Hash: 5d42b98b104c7d552bd3ab179e8297668bd99fa33a079a05f8fd984374424545
Instruction Fuzzy Hash: DE61893124870956DA38BA288D95BFEA3D7DF51708F343959E8CEFB281D611DE42C315

Function 00E87CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 310e6d1c1d4c583c71df8e7d14d6b096fa629cd1f9c312969011f8910c7c1490
Instruction ID: d693e5a83c45788380df43f0351c34566f1f6a51a128465ab413ff4ba3ff63d2
Opcode Fuzzy Hash: 310e6d1c1d4c583c71df8e7d14d6b096fa629cd1f9c312969011f8910c7c1490
Instruction Fuzzy Hash: 5661473160C70996DA38BA284955BBE6384AF43748F30395DE8CEFB2C1EA12ED428355

Function 00E7D063 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f9928efed8c0635a7325ea99df355544910aaab824386effac2a8e66a3a10f8
Instruction ID: a5e8ff2bba1807284984226036939af4cf020450a5a85c97009b88bb0def16e8
Opcode Fuzzy Hash: 8f9928efed8c0635a7325ea99df355544910aaab824386effac2a8e66a3a10f8
Instruction Fuzzy Hash: A551808694EFC65FD30382748CAA4E5AF758C471303ACE7DF8189166CBE689050BD786

Function 00ED2046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f98c7f8ac2f996c05fb8adcb95aa740c9edd7e6bd27971725bd9e05a91e3d660
Instruction ID: 74799fc568e47eed03a4456237650c697bf7b66aea861b64c496204be1fa5573
Opcode Fuzzy Hash: f98c7f8ac2f996c05fb8adcb95aa740c9edd7e6bd27971725bd9e05a91e3d660
Instruction Fuzzy Hash: 9D21D5323206158BDB28CE79C82367A73E5EB64320F14862EE4A7D33D0DE35A904DB80

Function 00EE2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00EE2B30
DeleteObject.GDI32(00000000), ref: 00EE2B43
DestroyWindow.USER32 ref: 00EE2B52
GetDesktopWindow.USER32 ref: 00EE2B6D
GetWindowRect.USER32(00000000), ref: 00EE2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00EE2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00EE2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EE2CF8
GetClientRect.USER32(00000000,?), ref: 00EE2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00EE2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EE2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EE2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EE2D80
GlobalLock.KERNEL32(00000000), ref: 00EE2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EE2D98
GlobalUnlock.KERNEL32(00000000), ref: 00EE2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EE2DA8
GlobalFree.KERNEL32(00000000), ref: 00EE2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EE2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,00EFFC38,00000000), ref: 00EE2DDB
GlobalFree.KERNEL32(00000000), ref: 00EE2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00EE2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00EE2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EE2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EE303F

Strings

, xrefs: 00EE2FC5
AutoIt v3, xrefs: 00EE2CF2
static, xrefs: 00EE2D3A, 00EE2E91
DISPLAY, xrefs: 00EE2EA2

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 1e5b20307d995bef1d05d336b79caa2dd18ec57c609a9a2b2a77a39e41968186
Instruction ID: d7b0e332e65107315e7d42124c84823cc3ab9fb99008c26570c7273f60cbefa0
Opcode Fuzzy Hash: 1e5b20307d995bef1d05d336b79caa2dd18ec57c609a9a2b2a77a39e41968186
Instruction Fuzzy Hash: 65029D71A00208AFDB14DF65CD89EAE7BB9FF48714F208158F915BB2A1DB70AD05CB60

Function 00EF70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00EF712F
GetSysColorBrush.USER32(0000000F), ref: 00EF7160
GetSysColor.USER32(0000000F), ref: 00EF716C
SetBkColor.GDI32(?,000000FF), ref: 00EF7186
SelectObject.GDI32(?,?), ref: 00EF7195
InflateRect.USER32(?,000000FF,000000FF), ref: 00EF71C0
GetSysColor.USER32(00000010), ref: 00EF71C8
CreateSolidBrush.GDI32(00000000), ref: 00EF71CF
FrameRect.USER32(?,?,00000000), ref: 00EF71DE
DeleteObject.GDI32(00000000), ref: 00EF71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00EF7230
FillRect.USER32(?,?,?), ref: 00EF7262
GetWindowLongW.USER32(?,000000F0), ref: 00EF7284

Part of subcall function 00EF73E8: GetSysColor.USER32(00000012), ref: 00EF7421
Part of subcall function 00EF73E8: SetTextColor.GDI32(?,?), ref: 00EF7425
Part of subcall function 00EF73E8: GetSysColorBrush.USER32(0000000F), ref: 00EF743B
Part of subcall function 00EF73E8: GetSysColor.USER32(0000000F), ref: 00EF7446
Part of subcall function 00EF73E8: GetSysColor.USER32(00000011), ref: 00EF7463
Part of subcall function 00EF73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00EF7471
Part of subcall function 00EF73E8: SelectObject.GDI32(?,00000000), ref: 00EF7482
Part of subcall function 00EF73E8: SetBkColor.GDI32(?,00000000), ref: 00EF748B
Part of subcall function 00EF73E8: SelectObject.GDI32(?,?), ref: 00EF7498
Part of subcall function 00EF73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00EF74B7
Part of subcall function 00EF73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00EF74CE
Part of subcall function 00EF73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00EF74DB

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: a759df7b3c5b3ae1f15ac299eee9c5780f5654e0bee30c063e61e2ccd4a987d5
Instruction ID: d399d539852f9b4b563ff356342a4726569c4030706c4de78ff937ef802c5b4a
Opcode Fuzzy Hash: a759df7b3c5b3ae1f15ac299eee9c5780f5654e0bee30c063e61e2ccd4a987d5
Instruction Fuzzy Hash: AFA19571009309AFD7009F61DD48EBB77A9FB89320F301A19F6A2A61E1D771D949CB51

Function 00EE2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00EE273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00EE286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00EE28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00EE28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00EE2900
GetClientRect.USER32(00000000,?), ref: 00EE290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00EE2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00EE2964
GetStockObject.GDI32(00000011), ref: 00EE2974
SelectObject.GDI32(00000000,00000000), ref: 00EE2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00EE2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00EE2991
DeleteDC.GDI32(00000000), ref: 00EE299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00EE29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 00EE29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00EE2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00EE2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00EE2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00EE2A77
GetStockObject.GDI32(00000011), ref: 00EE2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00EE2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00EE2A97

Strings

msctls_progress32, xrefs: 00EE2A13
AutoIt v3, xrefs: 00EE28F8
static, xrefs: 00EE294F, 00EE2A71
DISPLAY, xrefs: 00EE295A

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 43050a47629c090540b32f08fa9e29b28290448a7482314d2d1b707b71d51091
Instruction ID: 2cd574395ebe07bbbd7aa2f5724ae9e893e83142b7f7c9b3c50bc720fec6b029
Opcode Fuzzy Hash: 43050a47629c090540b32f08fa9e29b28290448a7482314d2d1b707b71d51091
Instruction Fuzzy Hash: 73B17B71A40209AFEB14DFA9DD49EAE7BA9FB48710F104119FA15E7290D770ED44CBA0

Function 00ED4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00ED4AED
GetDriveTypeW.KERNEL32(?,00EFCB68,?,\\.\,00EFCC08), ref: 00ED4BCA
SetErrorMode.KERNEL32(00000000,00EFCB68,?,\\.\,00EFCC08), ref: 00ED4D36

Strings

SSA, xrefs: 00ED4CA6
FileBackedVirtual, xrefs: 00ED4CEC
USB, xrefs: 00ED4CB4
ATA, xrefs: 00ED4C98
RAID, xrefs: 00ED4CBB
1394, xrefs: 00ED4C9F
Removable, xrefs: 00ED4C10, 00ED4C15
Fixed, xrefs: 00ED4C09
SCSI, xrefs: 00ED4C8A
PhysicalDrive, xrefs: 00ED4B76
SAS, xrefs: 00ED4CC9
Fibre, xrefs: 00ED4CAD
SSD, xrefs: 00ED4C4A
CDROM, xrefs: 00ED4BFB
Unknown, xrefs: 00ED4BED, 00ED4C83
Network, xrefs: 00ED4C02
ATAPI, xrefs: 00ED4C91
\\.\, xrefs: 00ED4B3F
Virtual, xrefs: 00ED4CE5
RAMDisk, xrefs: 00ED4BF4
MMC, xrefs: 00ED4CDE
iSCSI, xrefs: 00ED4CC2
SATA, xrefs: 00ED4CD0

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 0f0f1da964be8c267a5b4fe5de7b656cfc234202d1d46124cbb3c0cd2053fdf8
Instruction ID: abacd1f1d405acf23b3f0b3e4fc5ae54d43cce10ca156ad2e122d3bb15881b9f
Opcode Fuzzy Hash: 0f0f1da964be8c267a5b4fe5de7b656cfc234202d1d46124cbb3c0cd2053fdf8
Instruction Fuzzy Hash: 2661D5B1656109DBDB04DF14DA81AB8B7B1EB64344B206417F806FB3D2DB32ED42EB42

Function 00EF73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00EF7421
SetTextColor.GDI32(?,?), ref: 00EF7425
GetSysColorBrush.USER32(0000000F), ref: 00EF743B
GetSysColor.USER32(0000000F), ref: 00EF7446
CreateSolidBrush.GDI32(?), ref: 00EF744B
GetSysColor.USER32(00000011), ref: 00EF7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00EF7471
SelectObject.GDI32(?,00000000), ref: 00EF7482
SetBkColor.GDI32(?,00000000), ref: 00EF748B
SelectObject.GDI32(?,?), ref: 00EF7498
InflateRect.USER32(?,000000FF,000000FF), ref: 00EF74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00EF74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 00EF74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00EF752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00EF7554
InflateRect.USER32(?,000000FD,000000FD), ref: 00EF7572
DrawFocusRect.USER32(?,?), ref: 00EF757D
GetSysColor.USER32(00000011), ref: 00EF758E
SetTextColor.GDI32(?,00000000), ref: 00EF7596
DrawTextW.USER32(?,00EF70F5,000000FF,?,00000000), ref: 00EF75A8
SelectObject.GDI32(?,?), ref: 00EF75BF
DeleteObject.GDI32(?), ref: 00EF75CA
SelectObject.GDI32(?,?), ref: 00EF75D0
DeleteObject.GDI32(?), ref: 00EF75D5
SetTextColor.GDI32(?,?), ref: 00EF75DB
SetBkColor.GDI32(?,?), ref: 00EF75E5

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 3d6fb92f90993e0871c42943e84c03db4c872f3362faa3c26426c80bbebeefbe
Instruction ID: 5daf5c41c3d0950a2cf074a708539f19b37f2298922d5d0ce6de532f2ce472ef
Opcode Fuzzy Hash: 3d6fb92f90993e0871c42943e84c03db4c872f3362faa3c26426c80bbebeefbe
Instruction Fuzzy Hash: 72615A7290421CAFDF019FA5DD49EEEBFB9EB48320F214115FA15BB2A1D7709944CB90

Function 00EF0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00EF1128
GetDesktopWindow.USER32 ref: 00EF113D
GetWindowRect.USER32(00000000), ref: 00EF1144
GetWindowLongW.USER32(?,000000F0), ref: 00EF1199
DestroyWindow.USER32(?), ref: 00EF11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00EF11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00EF120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00EF121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00EF1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00EF1245
IsWindowVisible.USER32(00000000), ref: 00EF12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00EF12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00EF12D0
GetWindowRect.USER32(00000000,?), ref: 00EF12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 00EF130E
GetMonitorInfoW.USER32(00000000,?), ref: 00EF1328
CopyRect.USER32(?,?), ref: 00EF133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 00EF13AA

Strings

(, xrefs: 00EF131B
tooltips_class32, xrefs: 00EF11E6
0, xrefs: 00EF10D3

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: a8e2e981d31e538a218d093205b638d606eb83c7b121b324931f8f08d3552c56
Instruction ID: fa087b2544b23cf9abf033995201b0eedfe3083dcdc368e7f57e2836330a9a35
Opcode Fuzzy Hash: a8e2e981d31e538a218d093205b638d606eb83c7b121b324931f8f08d3552c56
Instruction Fuzzy Hash: C5B1B071608349EFD700DF64C884BAABBE4FF84754F10995CFA99AB261D770D844CB51

Function 00EF0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00EF02E5
_wcslen.LIBCMT ref: 00EF031F
_wcslen.LIBCMT ref: 00EF0389
_wcslen.LIBCMT ref: 00EF03F1
_wcslen.LIBCMT ref: 00EF0475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00EF04C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00EF0504

Part of subcall function 00E7F9F2: _wcslen.LIBCMT ref: 00E7F9FD

Part of subcall function 00EC223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00EC2258
Part of subcall function 00EC223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00EC228A

Strings

ISSELECTED, xrefs: 00EF04DD
GETSELECTEDCOUNT, xrefs: 00EF0470, 00EF048B
SELECTALL, xrefs: 00EF0515
SELECTINVERT, xrefs: 00EF057E
DESELECT, xrefs: 00EF059C
GETSUBITEMCOUNT, xrefs: 00EF0384, 00EF039F
FINDITEM, xrefs: 00EF0627
SELECTCLEAR, xrefs: 00EF052D
GETTEXT, xrefs: 00EF03EC, 00EF0407
GETSELECTED, xrefs: 00EF05E1
VIEWCHANGE, xrefs: 00EF0675
GETITEMCOUNT, xrefs: 00EF0316, 00EF0337
SELECT, xrefs: 00EF0548

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 5afabed3b71607a993d47eb0c49d0351583009c8754cde128c2e7c3d9ecc8d0e
Instruction ID: 0de469adcb67cb815412d5edc694429d20c947413f5f3f6c4a4c5fb165163df3
Opcode Fuzzy Hash: 5afabed3b71607a993d47eb0c49d0351583009c8754cde128c2e7c3d9ecc8d0e
Instruction Fuzzy Hash: C5E1A0312083058FC724EF24D55097AB3E6BFC8758B14A95DF996BB2A2DB30ED45CB41

Function 00E78891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00E78968
GetSystemMetrics.USER32(00000007), ref: 00E78970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00E7899B
GetSystemMetrics.USER32(00000008), ref: 00E789A3
GetSystemMetrics.USER32(00000004), ref: 00E789C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00E789E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00E789F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00E78A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00E78A3C
GetClientRect.USER32(00000000,000000FF), ref: 00E78A5A
GetStockObject.GDI32(00000011), ref: 00E78A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00E78A81

Part of subcall function 00E7912D: GetCursorPos.USER32(?), ref: 00E79141
Part of subcall function 00E7912D: ScreenToClient.USER32(00000000,?), ref: 00E7915E
Part of subcall function 00E7912D: GetAsyncKeyState.USER32(00000001), ref: 00E79183
Part of subcall function 00E7912D: GetAsyncKeyState.USER32(00000002), ref: 00E7919D

SetTimer.USER32(00000000,00000000,00000028,00E790FC), ref: 00E78AA8

Strings

AutoIt v3 GUI, xrefs: 00E78A20

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 62f8989ccec2c7fecb85ec9840b04f681beb5f6085145a2cee2e24d2597528b7
Instruction ID: bf57b0b5eaf42b4e2cb49aaec69041b76fc2340f8ade5e96dfc3d60bc9037fd4
Opcode Fuzzy Hash: 62f8989ccec2c7fecb85ec9840b04f681beb5f6085145a2cee2e24d2597528b7
Instruction Fuzzy Hash: F4B17D71A002099FDB14DF68CD59BEE3BB5FB48314F21922AFA19B7290DB74E840CB51

Function 00EC0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00EC1114
Part of subcall function 00EC10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00EC0B9B,?,?,?), ref: 00EC1120
Part of subcall function 00EC10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00EC0B9B,?,?,?), ref: 00EC112F
Part of subcall function 00EC10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00EC0B9B,?,?,?), ref: 00EC1136
Part of subcall function 00EC10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00EC114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00EC0DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00EC0E29
GetLengthSid.ADVAPI32(?), ref: 00EC0E40
GetAce.ADVAPI32(?,00000000,?), ref: 00EC0E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00EC0E96
GetLengthSid.ADVAPI32(?), ref: 00EC0EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00EC0EB5
HeapAlloc.KERNEL32(00000000), ref: 00EC0EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00EC0EDD
CopySid.ADVAPI32(00000000), ref: 00EC0EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00EC0F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00EC0F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00EC0F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00EC0F6E
HeapFree.KERNEL32(00000000), ref: 00EC0F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00EC0F7E
HeapFree.KERNEL32(00000000), ref: 00EC0F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00EC0F8E
HeapFree.KERNEL32(00000000), ref: 00EC0F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00EC0FA1
HeapFree.KERNEL32(00000000), ref: 00EC0FA8

Part of subcall function 00EC1193: GetProcessHeap.KERNEL32(00000008,00EC0BB1,?,00000000,?,00EC0BB1,?), ref: 00EC11A1
Part of subcall function 00EC1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00EC0BB1,?), ref: 00EC11A8
Part of subcall function 00EC1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00EC0BB1,?), ref: 00EC11B7

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: ec8b93969d03b8389d4298de4256761f7b8a0d4c6a98b1ac0158b07ad4b73e2c
Instruction ID: ad3ad353b4e4cdee058b7f36171a211e5168e3fbb85565cb3ed350f63fe330d5
Opcode Fuzzy Hash: ec8b93969d03b8389d4298de4256761f7b8a0d4c6a98b1ac0158b07ad4b73e2c
Instruction Fuzzy Hash: 02716F71A0020AEFDF209FA5DE44FAEBBB8BF45304F244119F919F6151D7319A5ACB60

Function 00EEC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00EEC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,00EFCC08,00000000,?,00000000,?,?), ref: 00EEC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00EEC5A4
_wcslen.LIBCMT ref: 00EEC5F4
_wcslen.LIBCMT ref: 00EEC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00EEC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00EEC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00EEC84D
RegCloseKey.ADVAPI32(?), ref: 00EEC881
RegCloseKey.ADVAPI32(00000000), ref: 00EEC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00EEC960

Strings

REG_SZ, xrefs: 00EEC644
REG_MULTI_SZ, xrefs: 00EEC6F5
REG_EXPAND_SZ, xrefs: 00EEC5CD
REG_QWORD, xrefs: 00EEC8C3
REG_BINARY, xrefs: 00EEC913
REG_DWORD, xrefs: 00EEC804

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: a1732103595fb56218ac30621dcfae164b51cfeb0b18386143d5c48057972007
Instruction ID: ba300756bb25d11908ca1e5b36945eafd196087720f4e1601149b76d1cc8e5b8
Opcode Fuzzy Hash: a1732103595fb56218ac30621dcfae164b51cfeb0b18386143d5c48057972007
Instruction Fuzzy Hash: 55128D356042419FC714DF15D881A2AB7E5FF88754F24989DF88AAB3A2DB31FC42CB81

Function 00EF091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00EF09C6
_wcslen.LIBCMT ref: 00EF0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00EF0A54
_wcslen.LIBCMT ref: 00EF0A8A
_wcslen.LIBCMT ref: 00EF0B06
_wcslen.LIBCMT ref: 00EF0B81

Part of subcall function 00E7F9F2: _wcslen.LIBCMT ref: 00E7F9FD

Part of subcall function 00EC2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00EC2BFA

Strings

EXPAND, xrefs: 00EF0BF8
GETTOTALCOUNT, xrefs: 00EF09F2, 00EF0A17
COLLAPSE, xrefs: 00EF0B01, 00EF0B1C
EXISTS, xrefs: 00EF0B7C, 00EF0B97
GETTEXT, xrefs: 00EF0C97
GETSELECTED, xrefs: 00EF0C4E
UNCHECK, xrefs: 00EF0D3E
ISCHECKED, xrefs: 00EF0CE1
CHECK, xrefs: 00EF0A85, 00EF0AA0
GETITEMCOUNT, xrefs: 00EF0C1E
SELECT, xrefs: 00EF0D11

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 22de28d1d26802a76d22ef82b42823f709f01fa89d4356aaabab9824aaea7110
Instruction ID: 37c41d06d97670cd44c78957028af8a360c16d1e2eca9ddadf25e13a9d599143
Opcode Fuzzy Hash: 22de28d1d26802a76d22ef82b42823f709f01fa89d4356aaabab9824aaea7110
Instruction Fuzzy Hash: 4BE1DA312087058FC714EF24C45097AB7E2BF88358B50A99DF99ABB3A2D731ED45CB81

Function 00EEC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00EEB6AE,?,?), ref: 00EEC9B5
_wcslen.LIBCMT ref: 00EEC9F1
_wcslen.LIBCMT ref: 00EECA68
_wcslen.LIBCMT ref: 00EECA9E
_wcslen.LIBCMT ref: 00EECAF9
_wcslen.LIBCMT ref: 00EECB2F
_wcslen.LIBCMT ref: 00EECB7F

Strings

HKU, xrefs: 00EECBF0
HKEY_CURRENT_USER, xrefs: 00EECBBD
HKEY_CURRENT_CONFIG, xrefs: 00EECB79, 00EECB7E
HKLM, xrefs: 00EECA98, 00EECA9D
HKCC, xrefs: 00EECBAC
HKEY_USERS, xrefs: 00EECBDF
HKCR, xrefs: 00EECB29, 00EECB2E
HKEY_CLASSES_ROOT, xrefs: 00EECAF3, 00EECAF8
HKEY_LOCAL_MACHINE, xrefs: 00EECA62, 00EECA67
HKCU, xrefs: 00EECBCE

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 8731913019e0136a952b55b3c9b4523c5115010b692e068bd2bdfd5b9abe1e0e
Instruction ID: 0b9b13fd5c170c9986e0649b38991c606902b2b18d4752016d9ba2b2dd9a5970
Opcode Fuzzy Hash: 8731913019e0136a952b55b3c9b4523c5115010b692e068bd2bdfd5b9abe1e0e
Instruction Fuzzy Hash: 597119326001AE8BCB20EE7ED9415FF3395ABA0758B312534F86EB7285E631CD42D390

Function 00EF833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00EF835A
_wcslen.LIBCMT ref: 00EF836E
_wcslen.LIBCMT ref: 00EF8391
_wcslen.LIBCMT ref: 00EF83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00EF83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00EF5BF2), ref: 00EF844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00EF8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00EF84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00EF8501
FreeLibrary.KERNEL32(?), ref: 00EF850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00EF851D
DestroyIcon.USER32(?,?,?,?,?,00EF5BF2), ref: 00EF852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00EF8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00EF8555

Strings

.dll, xrefs: 00EF83AB
.icl, xrefs: 00EF8368
.exe, xrefs: 00EF8388

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 79beb862002d83bc705e7b28414e7cccec8490c02a13b97c8856995332529360
Instruction ID: 0c6b54eb3efc4ea4347a5d6d04c957beefbd5497809ec5ee1cd5bc5665ad35a5
Opcode Fuzzy Hash: 79beb862002d83bc705e7b28414e7cccec8490c02a13b97c8856995332529360
Instruction Fuzzy Hash: F661F07150021ABFEB14DF64CD41BBE77A8FB44710F20560AF919F60D0EB74A984C7A0

Function 00E67778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#cs, xrefs: 00E67873, 00E678C5
#include, xrefs: 00E67847
#comments-end, xrefs: 00E678D9
', xrefs: 00EA5169
#ce, xrefs: 00E678ED
", xrefs: 00EA5153
#OnAutoItStartRegister, xrefs: 00E67817
Bad directive syntax error, xrefs: 00EA519A
#notrayicon, xrefs: 00E677E7
#pragma compile, xrefs: 00E677D3
Cannot parse #include, xrefs: 00EA5279
#include-once, xrefs: 00E6782F
#comments-start, xrefs: 00E6785F, 00E678B1
Unterminated group of comments, xrefs: 00EA528C
#requireadmin, xrefs: 00E677FF

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 3b9075411a0715d1ee97a11eb49f57a220408960f435f4c1306f888c3114c5a6
Instruction ID: 53bc45d08b1ac1c328ecb43ac1f920046e647461981c5e05b72de5a551d0bd6b
Opcode Fuzzy Hash: 3b9075411a0715d1ee97a11eb49f57a220408960f435f4c1306f888c3114c5a6
Instruction Fuzzy Hash: 6A811571684605BBDB20AF60ED42FBE37E8AF15348F106025FD48BB192EB70E901C7A1

Function 00ED3E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00ED3EF8
_wcslen.LIBCMT ref: 00ED3F03
_wcslen.LIBCMT ref: 00ED3F5A
_wcslen.LIBCMT ref: 00ED3F98
GetDriveTypeW.KERNEL32(?), ref: 00ED3FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00ED401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00ED4059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00ED4087

Strings

type cdaudio alias cd wait, xrefs: 00ED4001
close, xrefs: 00ED3EFE, 00ED3F18
wait, xrefs: 00ED4044
open , xrefs: 00ED3FE5
open, xrefs: 00ED3F54, 00ED3F59
close cd wait, xrefs: 00ED4072
closed, xrefs: 00ED3F08, 00ED3F2D, 00ED3F46, 00ED3F7E, 00ED3F97
set cd door , xrefs: 00ED4028

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 00403314949de6ee408bd7ababfbc8b17c4e4e78375c7e4b0cfd4aa0cff6d47a
Instruction ID: f21a0b5f97a7e717eedbd55f1dcfacf6f2ef51a1b6cfc23a430ec432e94cec48
Opcode Fuzzy Hash: 00403314949de6ee408bd7ababfbc8b17c4e4e78375c7e4b0cfd4aa0cff6d47a
Instruction Fuzzy Hash: 8D71D3726042169FC310EF34D8818AAB7F4EF94798F10592EF495A7391EB31ED46CB92

Function 00EC5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00EC5A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00EC5A40
SetWindowTextW.USER32(?,?), ref: 00EC5A57
GetDlgItem.USER32(?,000003EA), ref: 00EC5A6C
SetWindowTextW.USER32(00000000,?), ref: 00EC5A72
GetDlgItem.USER32(?,000003E9), ref: 00EC5A82
SetWindowTextW.USER32(00000000,?), ref: 00EC5A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00EC5AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00EC5AC3
GetWindowRect.USER32(?,?), ref: 00EC5ACC
_wcslen.LIBCMT ref: 00EC5B33
SetWindowTextW.USER32(?,?), ref: 00EC5B6F
GetDesktopWindow.USER32 ref: 00EC5B75
GetWindowRect.USER32(00000000), ref: 00EC5B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00EC5BD3
GetClientRect.USER32(?,?), ref: 00EC5BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00EC5C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00EC5C2F

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: d0036a1c83ef1fc90d7e9654ace034669d042f682a729687014a9b7c40d86a28
Instruction ID: 189030cc0c3e5386ea38c95578734d71be51627cc06709b2d6102c8101fc6e13
Opcode Fuzzy Hash: d0036a1c83ef1fc90d7e9654ace034669d042f682a729687014a9b7c40d86a28
Instruction Fuzzy Hash: F2715A32900A09AFDB20DFA9CE85FAEBBF5FB48704F20551DE146B25A0D776B945CB10

Function 00EDFE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00EDFE27
LoadCursorW.USER32(00000000,00007F8A), ref: 00EDFE32
LoadCursorW.USER32(00000000,00007F00), ref: 00EDFE3D
LoadCursorW.USER32(00000000,00007F03), ref: 00EDFE48
LoadCursorW.USER32(00000000,00007F8B), ref: 00EDFE53
LoadCursorW.USER32(00000000,00007F01), ref: 00EDFE5E
LoadCursorW.USER32(00000000,00007F81), ref: 00EDFE69
LoadCursorW.USER32(00000000,00007F88), ref: 00EDFE74
LoadCursorW.USER32(00000000,00007F80), ref: 00EDFE7F
LoadCursorW.USER32(00000000,00007F86), ref: 00EDFE8A
LoadCursorW.USER32(00000000,00007F83), ref: 00EDFE95
LoadCursorW.USER32(00000000,00007F85), ref: 00EDFEA0
LoadCursorW.USER32(00000000,00007F82), ref: 00EDFEAB
LoadCursorW.USER32(00000000,00007F84), ref: 00EDFEB6
LoadCursorW.USER32(00000000,00007F04), ref: 00EDFEC1
LoadCursorW.USER32(00000000,00007F02), ref: 00EDFECC
GetCursorInfo.USER32(?), ref: 00EDFEDC
GetLastError.KERNEL32 ref: 00EDFF1E

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: d8809abe726599eb24cb78dadff4d63d3b7328bb52c76b9e0fdb020f0c88f7fe
Instruction ID: d5f74a26e403379521ce4d80b74edb9d67e73f36b4dabab111f9b1d94ea850a1
Opcode Fuzzy Hash: d8809abe726599eb24cb78dadff4d63d3b7328bb52c76b9e0fdb020f0c88f7fe
Instruction Fuzzy Hash: C94154B0E44319AEDB10DFBA9C8586EBFE8FF04754B50452AE11DE7281DB78D901CE91

Function 00E800C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00E800C6

Part of subcall function 00E800ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00F3070C,00000FA0,4AEE6BAF,?,?,?,?,00EA23B3,000000FF), ref: 00E8011C
Part of subcall function 00E800ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00EA23B3,000000FF), ref: 00E80127
Part of subcall function 00E800ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00EA23B3,000000FF), ref: 00E80138
Part of subcall function 00E800ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00E8014E
Part of subcall function 00E800ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00E8015C
Part of subcall function 00E800ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00E8016A
Part of subcall function 00E800ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00E80195
Part of subcall function 00E800ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00E801A0

___scrt_fastfail.LIBCMT ref: 00E800E7

Part of subcall function 00E800A3: __onexit.LIBCMT ref: 00E800A9

Strings

kernel32.dll, xrefs: 00E80133
SleepConditionVariableCS, xrefs: 00E80154
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00E80122
WakeAllConditionVariable, xrefs: 00E80162
InitializeConditionVariable, xrefs: 00E80148

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 2883600416176e4abcef9f675b668af27d80c32fac24793dc3ed03ab540ff787
Instruction ID: f22d6df708702cb370d9eb73c762812cc81a960f1e464fe2829118e31e3a00d2
Opcode Fuzzy Hash: 2883600416176e4abcef9f675b668af27d80c32fac24793dc3ed03ab540ff787
Instruction Fuzzy Hash: 3D2107326427196FE7506B64AD09B3933E4DF45B71F20112AF90DB3291DF619808CB91

Function 00EC30F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00EC318D
_wcslen.LIBCMT ref: 00EC31F8

Strings

CLASS, xrefs: 00EC3188, 00EC31A5
INSTANCE, xrefs: 00EC3453
REGEXPCLASS, xrefs: 00EC3255, 00EC3266
NAME, xrefs: 00EC3335, 00EC3346
CLASSNN, xrefs: 00EC31F3, 00EC3204
TEXT, xrefs: 00EC347C

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: e6ec44e63b8fdb35d546521fe6b254fd991c627c3d6dc54bfbb15235ea778e67
Instruction ID: 680eefe2b2f32c64010690df3711005d695439e30360555637c1913b620f472a
Opcode Fuzzy Hash: e6ec44e63b8fdb35d546521fe6b254fd991c627c3d6dc54bfbb15235ea778e67
Instruction Fuzzy Hash: 24E1E431A006269BCB189FB8C541FEDFBB0BF54714F64E11EE46AB7240DB31AE469790

Function 00ED44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,00EFCC08), ref: 00ED4527
_wcslen.LIBCMT ref: 00ED453B
_wcslen.LIBCMT ref: 00ED4599
_wcslen.LIBCMT ref: 00ED45F4
_wcslen.LIBCMT ref: 00ED463F
_wcslen.LIBCMT ref: 00ED46A7

Part of subcall function 00E7F9F2: _wcslen.LIBCMT ref: 00E7F9FD

GetDriveTypeW.KERNEL32(?,00F26BF0,00000061), ref: 00ED4743

Strings

unknown, xrefs: 00ED4708
ramdisk, xrefs: 00ED46F1
cdrom, xrefs: 00ED458F, 00ED4594
network, xrefs: 00ED469D, 00ED46A2
removable, xrefs: 00ED45EA, 00ED45EF
fixed, xrefs: 00ED4635, 00ED463A
all, xrefs: 00ED4531, 00ED4536

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 0a4296babc225d9bc212c07fbc82affa944aeb1f42b6cbbc258cd5b970350378
Instruction ID: 7e24b7b6671c38e647f4bc9c38a50db4ebc3859cda4f74992665cef95bf8b0b8
Opcode Fuzzy Hash: 0a4296babc225d9bc212c07fbc82affa944aeb1f42b6cbbc258cd5b970350378
Instruction Fuzzy Hash: 1AB102B16083029FC710DF28D890A6AB7E5EFA5764F10691EF4AAE73D1D730D846CB52

Function 00EE3FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00EFCC08), ref: 00EE40BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00EE40CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,00EFCC08), ref: 00EE40F2
FreeLibrary.KERNEL32(00000000,?,00EFCC08), ref: 00EE413E
StringFromGUID2.OLE32(?,?,00000028,?,00EFCC08), ref: 00EE41A8
SysFreeString.OLEAUT32(00000009), ref: 00EE4262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00EE42C8
SysFreeString.OLEAUT32(?), ref: 00EE42F2

Strings

kernel32.dll, xrefs: 00EE40B6
GetModuleHandleExW, xrefs: 00EE40C7

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: ae88a5e1ef9555b58a3fea567f47b6c467ac2ea8bc6adb0cb22246e539ef83c6
Instruction ID: 9bc150191f486e0083a2ac5eb3d04680a2d5af95f99d61ceb51064e4bff0c890
Opcode Fuzzy Hash: ae88a5e1ef9555b58a3fea567f47b6c467ac2ea8bc6adb0cb22246e539ef83c6
Instruction Fuzzy Hash: F2126EB1A00149EFDB14DF95C884EAEB7B5FF85318F249098F905AB291D731ED46CBA0

Function 00E6326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00F31990), ref: 00EA2F8D
GetMenuItemCount.USER32(00F31990), ref: 00EA303D
GetCursorPos.USER32(?), ref: 00EA3081
SetForegroundWindow.USER32(00000000), ref: 00EA308A
TrackPopupMenuEx.USER32(00F31990,00000000,?,00000000,00000000,00000000), ref: 00EA309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00EA30A9

Strings

0, xrefs: 00E6327D

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: a6650721fae1a959478fdcedbcc36e3cc40f3b34d51ee3e081f1c1b666e03bf7
Instruction ID: 09f1af3609c9de54acc9f05ed49914247d48d4d6a66f442e813e6036ae960470
Opcode Fuzzy Hash: a6650721fae1a959478fdcedbcc36e3cc40f3b34d51ee3e081f1c1b666e03bf7
Instruction Fuzzy Hash: B8712930644209BEEB218F39DD49FAABF68FF05368F20520AF6157A1E0C7B1B954D750

Function 00EF6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00EF6DEB

Part of subcall function 00E66B57: _wcslen.LIBCMT ref: 00E66B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00EF6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00EF6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00EF6E94
DestroyWindow.USER32(?), ref: 00EF6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00E60000,00000000), ref: 00EF6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00EF6EFD
GetDesktopWindow.USER32 ref: 00EF6F16
GetWindowRect.USER32(00000000), ref: 00EF6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00EF6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00EF6F4D

Part of subcall function 00E79944: GetWindowLongW.USER32(?,000000EB), ref: 00E79952

Strings

tooltips_class32, xrefs: 00EF6E58, 00EF6EDD
0, xrefs: 00EF6D98

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 0aa3fcf9e187f6ba9053e813b0888f4365b4d63e8019f8ab1896ac9dae3ff943
Instruction ID: 73b1595168c2b51dc26ffff1ac12e20fffea7bbaf7779074bf044e720d659b21
Opcode Fuzzy Hash: 0aa3fcf9e187f6ba9053e813b0888f4365b4d63e8019f8ab1896ac9dae3ff943
Instruction Fuzzy Hash: C5716C71104248AFDB21DF18D844BBABBE9FB89708F14541DF689A7261C770ED0ADB12

Function 00EF911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00E79BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E79BB2

DragQueryPoint.SHELL32(?,?), ref: 00EF9147

Part of subcall function 00EF7674: ClientToScreen.USER32(?,?), ref: 00EF769A
Part of subcall function 00EF7674: GetWindowRect.USER32(?,?), ref: 00EF7710
Part of subcall function 00EF7674: PtInRect.USER32(?,?,00EF8B89), ref: 00EF7720

SendMessageW.USER32(?,000000B0,?,?), ref: 00EF91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00EF91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00EF91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00EF9225
SendMessageW.USER32(?,000000B0,?,?), ref: 00EF923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00EF9255
SendMessageW.USER32(?,000000B1,?,?), ref: 00EF9277
DragFinish.SHELL32(?), ref: 00EF927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00EF9371

Strings

@GUI_DRAGFILE, xrefs: 00EF9320
@GUI_DRAGID, xrefs: 00EF92E9
@GUI_DROPID, xrefs: 00EF929E

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 226fff89bbac76ccfd0d38c38389e012789f526d62082ddae6cf4c627b33f72b
Instruction ID: 1fc75f693f912862d000da59c42b7916f31b2db899972bbb7235f241087637da
Opcode Fuzzy Hash: 226fff89bbac76ccfd0d38c38389e012789f526d62082ddae6cf4c627b33f72b
Instruction Fuzzy Hash: 2E616A71108305AFD701EF60ED85EAFBBE8EFC8790F10192DF595A21A1DB309A49CB52

Function 00EDC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00EDC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00EDC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00EDC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00EDC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00EDC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00EDC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00EDC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00EDC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00EDC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00EDC5F0
InternetCloseHandle.WININET(00000000), ref: 00EDC5FB

Strings

, xrefs: 00EDC575

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: cfbe1445f9756c5520edd74589b7c8ec674ad6108ac5fe3ebfd58363f0e6fb00
Instruction ID: c275191be1f7ea5c58456b4f10d7d08b9d4111a9b8c430653abb8db0c55461f9
Opcode Fuzzy Hash: cfbe1445f9756c5520edd74589b7c8ec674ad6108ac5fe3ebfd58363f0e6fb00
Instruction Fuzzy Hash: 1E517FB150060ABFDB219F61D948ABB7BFCFF48788F20541AF945E6250DB30E949DB60

Function 00EF856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00EF8592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00EF85A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00EF85AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00EF85BA
GlobalLock.KERNEL32(00000000), ref: 00EF85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00EF85D7
GlobalUnlock.KERNEL32(00000000), ref: 00EF85E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00EF85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00EF85F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,00EFFC38,?), ref: 00EF8611
GlobalFree.KERNEL32(00000000), ref: 00EF8621
GetObjectW.GDI32(?,00000018,?), ref: 00EF8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00EF8671
DeleteObject.GDI32(?), ref: 00EF8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00EF86AF

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 8ece81a2ab9a89a62308893eda1318e596cade621bbfa1afa6957b54c39f3220
Instruction ID: 1ee1a4fa9047984f702ab89567054c68542a472f62347215fe7f2cad8925fb49
Opcode Fuzzy Hash: 8ece81a2ab9a89a62308893eda1318e596cade621bbfa1afa6957b54c39f3220
Instruction Fuzzy Hash: 7D410A75600208AFDB11DFA6DE48EBA7BB8FF89B55F214058F905E72A0DB309D05DB60

Function 00ED14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00ED1502
VariantCopy.OLEAUT32(?,?), ref: 00ED150B
VariantClear.OLEAUT32(?), ref: 00ED1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00ED15FB
VarR8FromDec.OLEAUT32(?,?), ref: 00ED1657
VariantInit.OLEAUT32(?), ref: 00ED1708
SysFreeString.OLEAUT32(?), ref: 00ED178C
VariantClear.OLEAUT32(?), ref: 00ED17D8
VariantClear.OLEAUT32(?), ref: 00ED17E7
VariantInit.OLEAUT32(00000000), ref: 00ED1823

Strings

Default, xrefs: 00ED16AF
%4d%02d%02d%02d%02d%02d, xrefs: 00ED1625

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 2f3cbedf5beca36357c933827ec26db8a1c43cf59388559aebae0d07f442b34b
Instruction ID: 2382d8a8bd884abf69166512ce5986bd7151cf8a908d19c09bc27ad8fdc78330
Opcode Fuzzy Hash: 2f3cbedf5beca36357c933827ec26db8a1c43cf59388559aebae0d07f442b34b
Instruction Fuzzy Hash: 88D1DE71A00205EBDB109F65E885BBDB7F5FF85700F24909BE406BB291DB38D846DB62

Function 00EEB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00E69CB3: _wcslen.LIBCMT ref: 00E69CBD

Part of subcall function 00EEC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00EEB6AE,?,?), ref: 00EEC9B5
Part of subcall function 00EEC998: _wcslen.LIBCMT ref: 00EEC9F1
Part of subcall function 00EEC998: _wcslen.LIBCMT ref: 00EECA68
Part of subcall function 00EEC998: _wcslen.LIBCMT ref: 00EECA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00EEB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00EEB772
RegDeleteValueW.ADVAPI32(?,?), ref: 00EEB80A
RegCloseKey.ADVAPI32(?), ref: 00EEB87E
RegCloseKey.ADVAPI32(?), ref: 00EEB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00EEB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00EEB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 00EEB922
FreeLibrary.KERNEL32(00000000), ref: 00EEB983
RegCloseKey.ADVAPI32(00000000), ref: 00EEB994

Strings

advapi32.dll, xrefs: 00EEB8ED
RegDeleteKeyExW, xrefs: 00EEB8FE

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: b6c5d99ab9e321ff3d3742afe31037b50c000b126418430b9a696788dc48baad
Instruction ID: f206ef7a2dce0826bd36b2ec360e80a3b39c87e9bfc800d468872867a3a9d2d2
Opcode Fuzzy Hash: b6c5d99ab9e321ff3d3742afe31037b50c000b126418430b9a696788dc48baad
Instruction Fuzzy Hash: 17C19D30204245AFD714DF15C495F2ABBE5BF84348F24A55CF49AAB3A2CB71EC46CB91

Function 00EE255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00EE25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00EE25E8
CreateCompatibleDC.GDI32(?), ref: 00EE25F4
SelectObject.GDI32(00000000,?), ref: 00EE2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00EE266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00EE26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00EE26D0
SelectObject.GDI32(?,?), ref: 00EE26D8
DeleteObject.GDI32(?), ref: 00EE26E1
DeleteDC.GDI32(?), ref: 00EE26E8
ReleaseDC.USER32(00000000,?), ref: 00EE26F3

Strings

(, xrefs: 00EE268D

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 5917f6c115c4e8d5e6386356ebd7821a5a2a7745003a42e6b40fc75687d3eaa4
Instruction ID: 4b34b796dffe09e9540cdecde3daa2b95bf408b46d77d1dae56c8454e2f86ea2
Opcode Fuzzy Hash: 5917f6c115c4e8d5e6386356ebd7821a5a2a7745003a42e6b40fc75687d3eaa4
Instruction Fuzzy Hash: 4561D175D00219EFCB04CFA9D984AAEBBF9FF48310F20852AEA55B7250D770A955CF90

Function 00E9DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00E9DAA1

Part of subcall function 00E9D63C: _free.LIBCMT ref: 00E9D659
Part of subcall function 00E9D63C: _free.LIBCMT ref: 00E9D66B
Part of subcall function 00E9D63C: _free.LIBCMT ref: 00E9D67D
Part of subcall function 00E9D63C: _free.LIBCMT ref: 00E9D68F
Part of subcall function 00E9D63C: _free.LIBCMT ref: 00E9D6A1
Part of subcall function 00E9D63C: _free.LIBCMT ref: 00E9D6B3
Part of subcall function 00E9D63C: _free.LIBCMT ref: 00E9D6C5
Part of subcall function 00E9D63C: _free.LIBCMT ref: 00E9D6D7
Part of subcall function 00E9D63C: _free.LIBCMT ref: 00E9D6E9
Part of subcall function 00E9D63C: _free.LIBCMT ref: 00E9D6FB
Part of subcall function 00E9D63C: _free.LIBCMT ref: 00E9D70D
Part of subcall function 00E9D63C: _free.LIBCMT ref: 00E9D71F
Part of subcall function 00E9D63C: _free.LIBCMT ref: 00E9D731

_free.LIBCMT ref: 00E9DA96

Part of subcall function 00E929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00E9D7D1,00000000,00000000,00000000,00000000,?,00E9D7F8,00000000,00000007,00000000,?,00E9DBF5,00000000), ref: 00E929DE
Part of subcall function 00E929C8: GetLastError.KERNEL32(00000000,?,00E9D7D1,00000000,00000000,00000000,00000000,?,00E9D7F8,00000000,00000007,00000000,?,00E9DBF5,00000000,00000000), ref: 00E929F0

_free.LIBCMT ref: 00E9DAB8
_free.LIBCMT ref: 00E9DACD
_free.LIBCMT ref: 00E9DAD8
_free.LIBCMT ref: 00E9DAFA
_free.LIBCMT ref: 00E9DB0D
_free.LIBCMT ref: 00E9DB1B
_free.LIBCMT ref: 00E9DB26
_free.LIBCMT ref: 00E9DB5E
_free.LIBCMT ref: 00E9DB65
_free.LIBCMT ref: 00E9DB82
_free.LIBCMT ref: 00E9DB9A

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: cc40270b5b1446514bd5f3ec637d8578c0e4a18b73ca600a35bbe765c1b39b9a
Instruction ID: d270f3b9fd587b295aa8531a34875fb8635c5b0e758b15dfb91fc83e49a139ff
Opcode Fuzzy Hash: cc40270b5b1446514bd5f3ec637d8578c0e4a18b73ca600a35bbe765c1b39b9a
Instruction Fuzzy Hash: 01318B31608714AFEF21AA38EC41B9AB7E9FF40324F106419E548F7192EF71AC50C760

Function 00EC365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00EC369C
_wcslen.LIBCMT ref: 00EC36A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00EC3797
GetClassNameW.USER32(?,?,00000400), ref: 00EC380C
GetDlgCtrlID.USER32(?), ref: 00EC385D
GetWindowRect.USER32(?,?), ref: 00EC3882
GetParent.USER32(?), ref: 00EC38A0
ScreenToClient.USER32(00000000), ref: 00EC38A7
GetClassNameW.USER32(?,?,00000100), ref: 00EC3921
GetWindowTextW.USER32(?,?,00000400), ref: 00EC395D

Strings

%s%u, xrefs: 00EC3734

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 7844f973614e90e640c13fd57d2cccbdc0f71acde95f8cb978a8194a81f5218e
Instruction ID: c680489570dba980fe1fbcdde793c2b5caaeb3b1a6111cad7895b198439e44ff
Opcode Fuzzy Hash: 7844f973614e90e640c13fd57d2cccbdc0f71acde95f8cb978a8194a81f5218e
Instruction Fuzzy Hash: EB91C071204606AFD718DF34C985FAAB7E8FF84314F10952DF999E2190DB31EA4ACB91

Function 00EC4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00EC4994
GetWindowTextW.USER32(?,?,00000400), ref: 00EC49DA
_wcslen.LIBCMT ref: 00EC49EB
CharUpperBuffW.USER32(?,00000000), ref: 00EC49F7
_wcsstr.LIBVCRUNTIME ref: 00EC4A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00EC4A64
GetWindowTextW.USER32(?,?,00000400), ref: 00EC4A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00EC4AE6
GetClassNameW.USER32(?,?,00000400), ref: 00EC4B20
GetWindowRect.USER32(?,?), ref: 00EC4B8B

Strings

ThumbnailClass, xrefs: 00EC4A6F, 00EC4AF1

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 5c48670fabaa112c758fe014c4d0b6ee3aacecbca909b48a9818a056bb00f44c
Instruction ID: 85787b594a7b5eb5b2b19d4bde5876ac05364c510c3a0852e2ab8dc8ac889bde
Opcode Fuzzy Hash: 5c48670fabaa112c758fe014c4d0b6ee3aacecbca909b48a9818a056bb00f44c
Instruction Fuzzy Hash: D191B0B10042059FDB04DE14CA95FAA77E8EF84718F04646DFD89A60D6DB31ED46CBA1

Function 00EF8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E79BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E79BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00EF8D5A
GetFocus.USER32 ref: 00EF8D6A
GetDlgCtrlID.USER32(00000000), ref: 00EF8D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00EF8E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00EF8ECF
GetMenuItemCount.USER32(?), ref: 00EF8EEC
GetMenuItemID.USER32(?,00000000), ref: 00EF8EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00EF8F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00EF8F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00EF8FA1

Strings

0, xrefs: 00EF8E9F

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 752b7600096a29468e9bb1d6c22208e5b1fe4ec0be90d9d4065f89722a9a7372
Instruction ID: 15a7421312ff9e9b9f22c71bf5e80223588814a440c21e2282efcb41281d1117
Opcode Fuzzy Hash: 752b7600096a29468e9bb1d6c22208e5b1fe4ec0be90d9d4065f89722a9a7372
Instruction Fuzzy Hash: AF819D726083099FD710CF14CE84ABB7BE9FF88758F141959FA85A7291DB30D904CB62

Function 00ECBF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00F31990,000000FF,00000000,00000030), ref: 00ECBFAC
SetMenuItemInfoW.USER32(00F31990,00000004,00000000,00000030), ref: 00ECBFE1
Sleep.KERNEL32(000001F4), ref: 00ECBFF3
GetMenuItemCount.USER32(?), ref: 00ECC039
GetMenuItemID.USER32(?,00000000), ref: 00ECC056
GetMenuItemID.USER32(?,-00000001), ref: 00ECC082
GetMenuItemID.USER32(?,?), ref: 00ECC0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00ECC10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00ECC124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00ECC145

Strings

0, xrefs: 00ECBF3D

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 2b248d09fc772904cf2d97e35c171d28fbce25d68f17f86d1b3c2ec2a877db74
Instruction ID: 68c617537008eee571d48d783d7535487b56d7e65698e35ba59192dc7df002b0
Opcode Fuzzy Hash: 2b248d09fc772904cf2d97e35c171d28fbce25d68f17f86d1b3c2ec2a877db74
Instruction Fuzzy Hash: 5F617FB090024AAFDF11CF65CE89FEE7BB9EB45348F241059E815B3291C732AD46CB61

Function 00ECDC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00ECDC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00ECDC46
_wcslen.LIBCMT ref: 00ECDC50
_wcsstr.LIBVCRUNTIME ref: 00ECDCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00ECDCBC

Strings

\VarFileInfo\Translation, xrefs: 00ECDCB4
StringFileInfo\, xrefs: 00ECDC8F
DefaultLangCodepage, xrefs: 00ECDD1F
%u.%u.%u.%u, xrefs: 00ECDD9A
04090000, xrefs: 00ECDCF2

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: e54c71f0bed5d1955107283aaf703889f6a3893925d0741fdb04460e6f8820ce
Instruction ID: 39db9e518287b66e964160fe760f2070df77a9b0024103a8df240355951d1114
Opcode Fuzzy Hash: e54c71f0bed5d1955107283aaf703889f6a3893925d0741fdb04460e6f8820ce
Instruction Fuzzy Hash: 3A4134329442047ADB10B7749D03FFF77ACDF41720F20206AF909B61D2EB329901A7A1

Function 00EECC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00EECC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00EECC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00EECD48

Part of subcall function 00EECC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00EECCAA
Part of subcall function 00EECC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00EECCBD
Part of subcall function 00EECC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00EECCCF
Part of subcall function 00EECC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00EECD05
Part of subcall function 00EECC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00EECD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 00EECCF3

Strings

advapi32.dll, xrefs: 00EECCB8
RegDeleteKeyExW, xrefs: 00EECCC9

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: aa4272d3ce60e6b019b9800b0f17e2eee2cb979bc20e690673078633e55e7b88
Instruction ID: f8022400c250de8c1c8124351fa6a006cf046e0b32676ed4604d4b6fd22fcb63
Opcode Fuzzy Hash: aa4272d3ce60e6b019b9800b0f17e2eee2cb979bc20e690673078633e55e7b88
Instruction Fuzzy Hash: 31318E7190112DBFDB209B96DC88EFFBB7CEF45744F300165A905F2240DA309A4ADAA1

Function 00ED3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00ED3D40
_wcslen.LIBCMT ref: 00ED3D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00ED3D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00ED3DBE
RemoveDirectoryW.KERNEL32(?), ref: 00ED3DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00ED3E55
CloseHandle.KERNEL32(00000000), ref: 00ED3E60
CloseHandle.KERNEL32(00000000), ref: 00ED3E6B

Strings

:, xrefs: 00ED3D82
\, xrefs: 00ED3D77
\??\%s, xrefs: 00ED3D5B

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 54bbf7c209cb2c6ba17dc87deb1891fd1bc678067ce22c3117a787a12e42f0a3
Instruction ID: 5a4b85586aad92f7abf620676aec57443f539a92753e04a336697507bacc36bb
Opcode Fuzzy Hash: 54bbf7c209cb2c6ba17dc87deb1891fd1bc678067ce22c3117a787a12e42f0a3
Instruction Fuzzy Hash: 9131A17190020AABDB209BA1DC49FEB37BDEF88744F2050B6F509E6160E7749749CB25

Function 00ECE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00ECE6B4

Part of subcall function 00E7E551: timeGetTime.WINMM(?,?,00ECE6D4), ref: 00E7E555

Sleep.KERNEL32(0000000A), ref: 00ECE6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00ECE705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00ECE727
SetActiveWindow.USER32 ref: 00ECE746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00ECE754
SendMessageW.USER32(00000010,00000000,00000000), ref: 00ECE773
Sleep.KERNEL32(000000FA), ref: 00ECE77E
IsWindow.USER32 ref: 00ECE78A
EndDialog.USER32(00000000), ref: 00ECE79B

Strings

BUTTON, xrefs: 00ECE719

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 09dd6b99e4c52815b2fd1d8729034a36ad8473b30cab268fddc5daedf2062218
Instruction ID: 8b2f3677b47471c3d2de9a97b2c00c2a1c499550be68107866c52dfad27c2fae
Opcode Fuzzy Hash: 09dd6b99e4c52815b2fd1d8729034a36ad8473b30cab268fddc5daedf2062218
Instruction Fuzzy Hash: 9421997120060CAFEB005F32EE8AF353B6AFB94758F306429F505F12A1DB72AC15EA15

Function 00ECE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00E69CB3: _wcslen.LIBCMT ref: 00E69CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00ECEA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00ECEA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00ECEA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00ECEA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00ECEAA7

Strings

close PlayMe, xrefs: 00ECEA6E, 00ECEA9B
open , xrefs: 00ECEA0C
play PlayMe, xrefs: 00ECEAA2
alias PlayMe, xrefs: 00ECEA36
status PlayMe mode, xrefs: 00ECEA58
play PlayMe wait, xrefs: 00ECEA91

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: c13cd868cf149e13fe5f224dc2385d175301d5c80ffd05071fa2fc69078780c7
Instruction ID: a98a00f36c9b216b9ef68be8a9da4bcd5102add7ff0afdacb7ba4813854af62b
Opcode Fuzzy Hash: c13cd868cf149e13fe5f224dc2385d175301d5c80ffd05071fa2fc69078780c7
Instruction Fuzzy Hash: 5511A331AD02697DD720A7A1ED4AEFF7ABCEBD2B44F001429B411F21D1EE704945C9B1

Function 00EC9F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00ECA012
SetKeyboardState.USER32(?), ref: 00ECA07D
GetAsyncKeyState.USER32(000000A0), ref: 00ECA09D
GetKeyState.USER32(000000A0), ref: 00ECA0B4
GetAsyncKeyState.USER32(000000A1), ref: 00ECA0E3
GetKeyState.USER32(000000A1), ref: 00ECA0F4
GetAsyncKeyState.USER32(00000011), ref: 00ECA120
GetKeyState.USER32(00000011), ref: 00ECA12E
GetAsyncKeyState.USER32(00000012), ref: 00ECA157
GetKeyState.USER32(00000012), ref: 00ECA165
GetAsyncKeyState.USER32(0000005B), ref: 00ECA18E
GetKeyState.USER32(0000005B), ref: 00ECA19C

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 8693d938d4b182532f31c1ed43620bc7bf8f6da82f82a47a0845aef58e96f336
Instruction ID: 0454973cb3d7cf4176751989e85ee4fa537ef941e05fc8be027681863eb583c1
Opcode Fuzzy Hash: 8693d938d4b182532f31c1ed43620bc7bf8f6da82f82a47a0845aef58e96f336
Instruction Fuzzy Hash: 3451D560A0438829FB35DA708615FEAAFF49F01388F0C55AD95C2671C3DA55AA4DC762

Function 00EC5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00EC5CE2
GetWindowRect.USER32(00000000,?), ref: 00EC5CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00EC5D59
GetDlgItem.USER32(?,00000002), ref: 00EC5D69
GetWindowRect.USER32(00000000,?), ref: 00EC5D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00EC5DCF
GetDlgItem.USER32(?,000003E9), ref: 00EC5DDD
GetWindowRect.USER32(00000000,?), ref: 00EC5DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00EC5E31
GetDlgItem.USER32(?,000003EA), ref: 00EC5E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00EC5E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00EC5E67

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: b607acbc8df5d73918f997b0e7e89cc6a5d5f0263d22032b6262ef2f842768c1
Instruction ID: e62856757cbe055700f03707e39adf1487dfb6234c6ffa97c0a50aaef31d0297
Opcode Fuzzy Hash: b607acbc8df5d73918f997b0e7e89cc6a5d5f0263d22032b6262ef2f842768c1
Instruction Fuzzy Hash: 9C511071A00609AFDF18CF69DE89EAE7BB5EB88700F209129F516F6290D770AD45CB50

Function 00E78BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00E78F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00E78BE8,?,00000000,?,?,?,?,00E78BBA,00000000,?), ref: 00E78FC5

DestroyWindow.USER32(?), ref: 00E78C81
KillTimer.USER32(00000000,?,?,?,?,00E78BBA,00000000,?), ref: 00E78D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00EB6973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00E78BBA,00000000,?), ref: 00EB69A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00E78BBA,00000000,?), ref: 00EB69B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00E78BBA,00000000), ref: 00EB69D4
DeleteObject.GDI32(00000000), ref: 00EB69E6

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 7c4aae759601d2f632a641ab58705adf2f6328298f52b551885741f53a03c0ad
Instruction ID: 9abbd6ce533902d6c812ce9fadc989648e33d1b023257540df2c5c028077db97
Opcode Fuzzy Hash: 7c4aae759601d2f632a641ab58705adf2f6328298f52b551885741f53a03c0ad
Instruction Fuzzy Hash: 0E61C230102608DFDB269F15DB4CB66B7F2FB9032AF24A529E046B65A0CB35AD84DF51

Function 00E79838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00E79944: GetWindowLongW.USER32(?,000000EB), ref: 00E79952

GetSysColor.USER32(0000000F), ref: 00E79862

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 694e7ebe0e5f602b35f3c12ee238e3a717d93aaa91a3796cb89d702e7589dc41
Instruction ID: 4d59da423eba33c1511f8835fc63a209eaa84dfa20ce4e08ba2a33c581dc73f1
Opcode Fuzzy Hash: 694e7ebe0e5f602b35f3c12ee238e3a717d93aaa91a3796cb89d702e7589dc41
Instruction Fuzzy Hash: C641E7311056049FEB249F39DC44BBA3B65EF87335F249645F9A6A71E2C7309C42DB11

Function 00E98D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

., xrefs: 00E9903A, 00E98FD0, 00E98FF2

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-3963672497
Opcode ID: 7b5e62d9b4a05bdd3dbc23c6e119f83383e1d81c92c75bdc810ece86a9074121
Instruction ID: f3d862c6ae415e36c18c56e48b17558aca4f05878490a14dcd8f6b35d3872282
Opcode Fuzzy Hash: 7b5e62d9b4a05bdd3dbc23c6e119f83383e1d81c92c75bdc810ece86a9074121
Instruction Fuzzy Hash: DBC1D374A04249AFCF11EFACC841BADBBF1AF4A314F146199E528B73A2C7309941CB61

Function 00EC96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00EAF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00EC9717
LoadStringW.USER32(00000000,?,00EAF7F8,00000001), ref: 00EC9720

Part of subcall function 00E69CB3: _wcslen.LIBCMT ref: 00E69CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00EAF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00EC9742
LoadStringW.USER32(00000000,?,00EAF7F8,00000001), ref: 00EC9745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00EC9866

Strings

^ ERROR, xrefs: 00EC97FB
Line %d:, xrefs: 00EC97A0
%s (%d) : ==> %s: %s %s, xrefs: 00EC984A
Error: , xrefs: 00EC981D
Line %d (File "%s"):, xrefs: 00EC978F

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 5b3a96c41fbfa9e1942c5cb95170991dbe563f9b51db78d055b32adbb790865b
Instruction ID: af40483280b38a0c6457d33088a8bc56a949b635cd98f6bfc0a93318b8967a1b
Opcode Fuzzy Hash: 5b3a96c41fbfa9e1942c5cb95170991dbe563f9b51db78d055b32adbb790865b
Instruction Fuzzy Hash: 5B413072840119AACB04FBE0EE46EEEB7BCAF55340F202065F50573192EB356F49DB61

Function 00EC06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00E66B57: _wcslen.LIBCMT ref: 00E66B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00EC07A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00EC07BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00EC07DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00EC0804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00EC082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00EC0837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00EC083C

Strings

SOFTWARE\Classes\, xrefs: 00EC070E
\CLSID, xrefs: 00EC0724
\IPC$, xrefs: 00EC0784

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 035bec7890b90699452ec4382e16e9f79fa4154e302e7d11bb8b357e1cfdb54b
Instruction ID: 4183efefb3b46b6626217af8514d86f50075ac519c2202e48e092205682bc259
Opcode Fuzzy Hash: 035bec7890b90699452ec4382e16e9f79fa4154e302e7d11bb8b357e1cfdb54b
Instruction Fuzzy Hash: 42412872C50229EFDF15EBA4ED85DEDB7B8BF44790B145129E901B3161EB309E05CBA0

Function 00EF3F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00EF403B
CreateCompatibleDC.GDI32(00000000), ref: 00EF4042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00EF4055
SelectObject.GDI32(00000000,00000000), ref: 00EF405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 00EF4068
DeleteDC.GDI32(00000000), ref: 00EF4072
GetWindowLongW.USER32(?,000000EC), ref: 00EF407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00EF4092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 00EF409E

Strings

static, xrefs: 00EF3FD3

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 6c219c8420f26b14a2461530d089ae99a55202fdce2ca9c88bc5407e708d831c
Instruction ID: 6ecd015e197890d446d383f1a2b15fe77506e167cdb60a309649e732db945c29
Opcode Fuzzy Hash: 6c219c8420f26b14a2461530d089ae99a55202fdce2ca9c88bc5407e708d831c
Instruction Fuzzy Hash: 3D315872101219AFDF229FA5CD08FEA3BA9EF4D724F211211FA14B61A0CB35D824DB50

Function 00EE3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00EE3C5C
CoInitialize.OLE32(00000000), ref: 00EE3C8A
CoUninitialize.OLE32 ref: 00EE3C94
_wcslen.LIBCMT ref: 00EE3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00EE3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00EE3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00EE3F0E
CoGetObject.OLE32(?,00000000,00EFFB98,?), ref: 00EE3F2D
SetErrorMode.KERNEL32(00000000), ref: 00EE3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00EE3FC4
VariantClear.OLEAUT32(?), ref: 00EE3FD8

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 86ec6f53db09face6387c4531e85272c1e1e67b510b3fd449a40b7de2e48e3ee
Instruction ID: 832d6c50ccd17dbb2e4af3583787e727c7abe6c8a6abc58a9efe5627cc8b123b
Opcode Fuzzy Hash: 86ec6f53db09face6387c4531e85272c1e1e67b510b3fd449a40b7de2e48e3ee
Instruction Fuzzy Hash: 6FC168716083499FC700DF69C88896BB7E9FF89748F10591DF98AAB221D731EE05CB52

Function 00ED7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00ED7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00ED7B8F
SHGetDesktopFolder.SHELL32(?), ref: 00ED7BA3
CoCreateInstance.OLE32(00EFFD08,00000000,00000001,00F26E6C,?), ref: 00ED7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00ED7C74
CoTaskMemFree.OLE32(?,?), ref: 00ED7CCC
SHBrowseForFolderW.SHELL32(?), ref: 00ED7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00ED7D7A
CoTaskMemFree.OLE32(00000000), ref: 00ED7D81
CoTaskMemFree.OLE32(00000000), ref: 00ED7DD6
CoUninitialize.OLE32 ref: 00ED7DDC

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: d2583d9c20cc8d84aea1b0bebba0dbc4c8120f380fcb4c1dad26ee582ccbfb78
Instruction ID: d82a4a10321511ab51e71eadfc1a8c54859bb43da9613c11a4fae82cf3a3d505
Opcode Fuzzy Hash: d2583d9c20cc8d84aea1b0bebba0dbc4c8120f380fcb4c1dad26ee582ccbfb78
Instruction Fuzzy Hash: 87C13C75A04109AFCB14DF64C884DAEBBF9FF48344B149499E85AEB361D730ED46CB90

Function 00EF541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00EF5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00EF5515
CharNextW.USER32(00000158), ref: 00EF5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00EF5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00EF559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00EF55AC

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: e31f380583eef441348c7b4e6dc85dd205020a0f294c3920875ad5a9b8fd8d7f
Instruction ID: 7ee7dac894986a0d168008a6adf055ba8effc6d1116e4fd9a54e99d88e7741f8
Opcode Fuzzy Hash: e31f380583eef441348c7b4e6dc85dd205020a0f294c3920875ad5a9b8fd8d7f
Instruction Fuzzy Hash: B761BE3290460CEFDF108F50CC84AFE7BB9EB55724F209049FB25B6290D7708A84DB61

Function 00EBFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00EBFAAF
SafeArrayAllocData.OLEAUT32(?), ref: 00EBFB08
VariantInit.OLEAUT32(?), ref: 00EBFB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00EBFB3A
VariantCopy.OLEAUT32(?,?), ref: 00EBFB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00EBFBA1
VariantClear.OLEAUT32(?), ref: 00EBFBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 00EBFBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00EBFBCC
VariantClear.OLEAUT32(?), ref: 00EBFBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00EBFBE9

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: bc99c58073ea3494540a393c839781a0b8021835bc3e60eaaae621ed9dc2ffb0
Instruction ID: 5a739e5f045a45d80c8e66066a18e2b6b349936268678068e4a56b52b29e52d5
Opcode Fuzzy Hash: bc99c58073ea3494540a393c839781a0b8021835bc3e60eaaae621ed9dc2ffb0
Instruction Fuzzy Hash: 58413E35A002199FCB04DF65DCA49FEBBB9EF48344F209469E955B7261CB30A945CBA0

Function 00EC9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00EC9CA1
GetAsyncKeyState.USER32(000000A0), ref: 00EC9D22
GetKeyState.USER32(000000A0), ref: 00EC9D3D
GetAsyncKeyState.USER32(000000A1), ref: 00EC9D57
GetKeyState.USER32(000000A1), ref: 00EC9D6C
GetAsyncKeyState.USER32(00000011), ref: 00EC9D84
GetKeyState.USER32(00000011), ref: 00EC9D96
GetAsyncKeyState.USER32(00000012), ref: 00EC9DAE
GetKeyState.USER32(00000012), ref: 00EC9DC0
GetAsyncKeyState.USER32(0000005B), ref: 00EC9DD8
GetKeyState.USER32(0000005B), ref: 00EC9DEA

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: d2e3bbc8fd7b419d35d4c3a4a4efb6131dfc983f7e8cd88caeed81b1b0fac088
Instruction ID: c3a36a0f41aa94f4a9bb52f3572218f33bab4d7878d9036b33560c67e4651aba
Opcode Fuzzy Hash: d2e3bbc8fd7b419d35d4c3a4a4efb6131dfc983f7e8cd88caeed81b1b0fac088
Instruction Fuzzy Hash: 1A41E8305047C96DFF308660860CBB5FEE06B21348F08A05EDAC7761C3DBA699C9C7A2

Function 00EE055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00EE05BC
inet_addr.WSOCK32(?), ref: 00EE061C
gethostbyname.WSOCK32(?), ref: 00EE0628
IcmpCreateFile.IPHLPAPI ref: 00EE0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00EE06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00EE06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 00EE07B9
WSACleanup.WSOCK32 ref: 00EE07BF

Strings

Ping, xrefs: 00EE0676

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: b58a0a2f8614f9d23bed358e60a50e846d06185bf82b7de14d087ed9b5dfee00
Instruction ID: b3b49766a645c076a31165b0d767c3abfaf9c7c645b9a8d9e958f20e40838d35
Opcode Fuzzy Hash: b58a0a2f8614f9d23bed358e60a50e846d06185bf82b7de14d087ed9b5dfee00
Instruction Fuzzy Hash: 3391C1356042459FD320DF16D488F16BBE0AF84318F149599F469AB7A2C7B0FC85CF91

Function 00EE8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00EE8CF3

Part of subcall function 00EC8E54: _wcslen.LIBCMT ref: 00EC8E77

_wcslen.LIBCMT ref: 00EE8D4E
_wcslen.LIBCMT ref: 00EE8D9C
_wcslen.LIBCMT ref: 00EE8DDC
_wcslen.LIBCMT ref: 00EE8E6E

Strings

winapi, xrefs: 00EE8D96, 00EE8D9B
cdecl, xrefs: 00EE8D48, 00EE8D4D
stdcall, xrefs: 00EE8DD6, 00EE8DDB
none, xrefs: 00EE8E65, 00EE8E6A

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: ed41117483597d52f417bfc82397f69c38860fe311cff9dc67b49c033218efd9
Instruction ID: 36d8d57562372445eb766fc68ae1d0c02ac2483adceb4adc19683d00687242e3
Opcode Fuzzy Hash: ed41117483597d52f417bfc82397f69c38860fe311cff9dc67b49c033218efd9
Instruction Fuzzy Hash: DB51C031A0055A9BCB24DF69CE508BEB7E5BF64328B205229E82AF72D5DB31DD40D790

Function 00EE372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00EE3774
CoUninitialize.OLE32 ref: 00EE377F
CoCreateInstance.OLE32(?,00000000,00000017,00EFFB78,?), ref: 00EE37D9
IIDFromString.OLE32(?,?), ref: 00EE384C
VariantInit.OLEAUT32(?), ref: 00EE38E4
VariantClear.OLEAUT32(?), ref: 00EE3936

Strings

Failed to create object, xrefs: 00EE37E4, 00EE389A
NULL Pointer assignment, xrefs: 00EE381E
Invalid parameter, xrefs: 00EE3865

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 188a7dcaccc0c5592faf885715f912c60a93b81dee1b36aa02408f0e5d67a950
Instruction ID: 438a70560c98b000da3fc6521889948631a50abcfb0cef4048e190075bd7a6d7
Opcode Fuzzy Hash: 188a7dcaccc0c5592faf885715f912c60a93b81dee1b36aa02408f0e5d67a950
Instruction Fuzzy Hash: F761E170608345AFD314DF66D849F6ABBE8EF88714F10180EF885A7291D770EE48CB96

Function 00ED3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00ED33CF

Part of subcall function 00E69CB3: _wcslen.LIBCMT ref: 00E69CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00ED33F0

Strings

Incorrect parameters to object property !, xrefs: 00ED34AB
^ ERROR , xrefs: 00ED349E
"%s" (%d) : ==> %s:, xrefs: 00ED3522
"%s" (%d) : ==> %s:%s%s, xrefs: 00ED3504
Error: , xrefs: 00ED34D1
Line %d (File "%s"):, xrefs: 00ED3443, 00ED345C

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: f02c975a70fe75ebed32c52bfd0fddd4777d76ed049d991a09ffbad3f80391c0
Instruction ID: dabf17fc97203cf4e6c0aad97c2f69c5dc9ae099aa8f1471d6f987623f351a09
Opcode Fuzzy Hash: f02c975a70fe75ebed32c52bfd0fddd4777d76ed049d991a09ffbad3f80391c0
Instruction Fuzzy Hash: 4C51B131940209AADF14EBA0EE46EEEB3B9EF14380F205065F40573192EB356F59DB61

Function 00ECB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00ECB5FC
_wcslen.LIBCMT ref: 00ECB608
_wcslen.LIBCMT ref: 00ECB64D
_wcslen.LIBCMT ref: 00ECB68C
_wcslen.LIBCMT ref: 00ECB6C7

Strings

APPEND, xrefs: 00ECB6C1, 00ECB6C6
EXISTS, xrefs: 00ECB686, 00ECB68B
KEYS, xrefs: 00ECB647, 00ECB64C
REMOVE, xrefs: 00ECB602, 00ECB607

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 5ab707dbf9f93da893da3bdb9ee3dc57a1395e4c64fe43b44c5041c1be8195eb
Instruction ID: 7abcb534be4a5d0b58eee820de8452572ed8f7373760c93d02e1912dafc636ea
Opcode Fuzzy Hash: 5ab707dbf9f93da893da3bdb9ee3dc57a1395e4c64fe43b44c5041c1be8195eb
Instruction Fuzzy Hash: 7A41CC32A001279ACB105F7DCA92BBE77A5AFA0758F24512DE465F7284E732CD42C790

Function 00ED5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00ED53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00ED5416
GetLastError.KERNEL32 ref: 00ED5420
SetErrorMode.KERNEL32(00000000,READY), ref: 00ED54A7

Strings

NOTREADY, xrefs: 00ED544B
READY, xrefs: 00ED5460, 00ED5468
READONLY, xrefs: 00ED5452
INVALID, xrefs: 00ED5459
UNKNOWN, xrefs: 00ED5444

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 678bee369235fb6099cfec4343956c1e8193a2f67a525e497814d536fcaa1416
Instruction ID: 1f213dedbe0d9fb4e2c0148c9855fb3fa3ada4cf9a5414d6ced83b5ec438496d
Opcode Fuzzy Hash: 678bee369235fb6099cfec4343956c1e8193a2f67a525e497814d536fcaa1416
Instruction Fuzzy Hash: 0E31D236A005089FD710DF68D584AEABBF4EF44309F24906AE412EB392D731DD87CB92

Function 00EF3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00EF3C79
SetMenu.USER32(?,00000000), ref: 00EF3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00EF3D10
IsMenu.USER32(?), ref: 00EF3D24
CreatePopupMenu.USER32 ref: 00EF3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00EF3D5B
DrawMenuBar.USER32 ref: 00EF3D63

Strings

0, xrefs: 00EF3C54
F, xrefs: 00EF3D4E

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 32cb6426920f497d722618c906624e8818e07e8561ea319aa1f7edf69fdedc47
Instruction ID: 11460a0eb09bf0d1ce6faa03eab81135bc536f0ff64d8c2375566c2fc8af1e7a
Opcode Fuzzy Hash: 32cb6426920f497d722618c906624e8818e07e8561ea319aa1f7edf69fdedc47
Instruction Fuzzy Hash: 08418974A0120DEFDB14CF65D844AEA7BB5FF89354F240028FA06A7360D731AA14CF90

Function 00EC1EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E69CB3: _wcslen.LIBCMT ref: 00E69CBD

Part of subcall function 00EC3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00EC3CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00EC1F64
GetDlgCtrlID.USER32 ref: 00EC1F6F
GetParent.USER32 ref: 00EC1F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00EC1F8E
GetDlgCtrlID.USER32(?), ref: 00EC1F97
GetParent.USER32(?), ref: 00EC1FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00EC1FAE

Strings

ComboBox, xrefs: 00EC1EEC
ListBox, xrefs: 00EC1F21

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 349956dd31620ebbaea4af4a8660e6769bce143f82e7aa94a91fc4fb15c64f29
Instruction ID: 468c33cd564e46dd03cbe8e411d4ec45865da8e14efaa65919144f13c545b8d6
Opcode Fuzzy Hash: 349956dd31620ebbaea4af4a8660e6769bce143f82e7aa94a91fc4fb15c64f29
Instruction Fuzzy Hash: 0D21F570A00118BFCF04AFA0DD44EFEBBB8EF46350B201149F961B3292DB358919DB61

Function 00EC1FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E69CB3: _wcslen.LIBCMT ref: 00E69CBD

Part of subcall function 00EC3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00EC3CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00EC2043
GetDlgCtrlID.USER32 ref: 00EC204E
GetParent.USER32 ref: 00EC206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00EC206D
GetDlgCtrlID.USER32(?), ref: 00EC2076
GetParent.USER32(?), ref: 00EC208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00EC208D

Strings

ComboBox, xrefs: 00EC1FCD
ListBox, xrefs: 00EC2002

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: cbcca3a0977cee82e6eac82eaffd0b6f8345dbd6dcf2beb62a4fa07778bc93ab
Instruction ID: 58359050da497715c5deb60856eb321207ecb3e02801372b2c837afc26381466
Opcode Fuzzy Hash: cbcca3a0977cee82e6eac82eaffd0b6f8345dbd6dcf2beb62a4fa07778bc93ab
Instruction Fuzzy Hash: 5921F671900218BFCF14AFA0DD45EFEBBB8EF15340F20500AF951B71A1DA768919DB61

Function 00EF3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00EF3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00EF3AA0
GetWindowLongW.USER32(?,000000F0), ref: 00EF3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00EF3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00EF3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00EF3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00EF3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00EF3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00EF3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00EF3C13

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: d0708dffe0a8b3927f4e914ab86e0b059e9a33fece27bc2d0cbddf80fc74ade4
Instruction ID: a7ce7fd5bc44748250730113ba63a82060c113f58d35810ece035492f1a43d8e
Opcode Fuzzy Hash: d0708dffe0a8b3927f4e914ab86e0b059e9a33fece27bc2d0cbddf80fc74ade4
Instruction Fuzzy Hash: C8615A75900248AFDB10DFA8CC81EFEB7F8EB49714F104199FA15A72A1D770AE45DB60

Function 00E92C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00E92C94

Part of subcall function 00E929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00E9D7D1,00000000,00000000,00000000,00000000,?,00E9D7F8,00000000,00000007,00000000,?,00E9DBF5,00000000), ref: 00E929DE
Part of subcall function 00E929C8: GetLastError.KERNEL32(00000000,?,00E9D7D1,00000000,00000000,00000000,00000000,?,00E9D7F8,00000000,00000007,00000000,?,00E9DBF5,00000000,00000000), ref: 00E929F0

_free.LIBCMT ref: 00E92CA0
_free.LIBCMT ref: 00E92CAB
_free.LIBCMT ref: 00E92CB6
_free.LIBCMT ref: 00E92CC1
_free.LIBCMT ref: 00E92CCC
_free.LIBCMT ref: 00E92CD7
_free.LIBCMT ref: 00E92CE2
_free.LIBCMT ref: 00E92CED
_free.LIBCMT ref: 00E92CFB

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 4eabae7e7e4fa110150639090299747e8efd49d5a8781fee7514f3365264ce68
Instruction ID: b39173dc6a7cf45f9b3be3d9f47a470a6d620c0f302f9a30ab48ea8ad5a12014
Opcode Fuzzy Hash: 4eabae7e7e4fa110150639090299747e8efd49d5a8781fee7514f3365264ce68
Instruction Fuzzy Hash: BB117276500108BFCF02EF94D982CDD3BA9FF45350F9155A9FA48AF222DA31EE509B90

Function 00ED7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00ED7FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00ED7FC1
GetFileAttributesW.KERNEL32(?), ref: 00ED7FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00ED8005
SetCurrentDirectoryW.KERNEL32(?), ref: 00ED8017
SetCurrentDirectoryW.KERNEL32(?), ref: 00ED8060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00ED80B0

Strings

*.*, xrefs: 00ED8066

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: fc9a821645ecd74a9b2c10819e5f40790909b89cd34864c31c6c590748e3c3dd
Instruction ID: 8abbea836690c3548ad819eaf807c75646301e30ee69859a5ad3a6c89131c3cf
Opcode Fuzzy Hash: fc9a821645ecd74a9b2c10819e5f40790909b89cd34864c31c6c590748e3c3dd
Instruction Fuzzy Hash: C9819F715082419BDB20EF15C8449AEB3E8EB88354F14685FF8C9E7351EB35DD4ACB52

Function 00E65BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00E65C7A

Part of subcall function 00E65D0A: GetClientRect.USER32(?,?), ref: 00E65D30
Part of subcall function 00E65D0A: GetWindowRect.USER32(?,?), ref: 00E65D71
Part of subcall function 00E65D0A: ScreenToClient.USER32(?,?), ref: 00E65D99

GetDC.USER32 ref: 00EA46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00EA4708
SelectObject.GDI32(00000000,00000000), ref: 00EA4716
SelectObject.GDI32(00000000,00000000), ref: 00EA472B
ReleaseDC.USER32(?,00000000), ref: 00EA4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00EA47C4

Strings

U, xrefs: 00EA4693

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 4c5bb1763a6853647cb758db748e6e393833fbf78d4f9e9bd90833afcaf8e516
Instruction ID: 57e30a55012d7c8800c95522fabddf306d2ab27075b386609182101966926ef8
Opcode Fuzzy Hash: 4c5bb1763a6853647cb758db748e6e393833fbf78d4f9e9bd90833afcaf8e516
Instruction Fuzzy Hash: 0A710071500208DFCF218F64C984AFA7BB1FFCA368F24626AF9517A1A6C770A841DF50

Function 00ED359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00ED35E4

Part of subcall function 00E69CB3: _wcslen.LIBCMT ref: 00E69CBD

LoadStringW.USER32(00F32390,?,00000FFF,?), ref: 00ED360A

Strings

"%s" (%d) : ==> %s:, xrefs: 00ED3742
^ ERROR, xrefs: 00ED36C9
"%s" (%d) : ==> %s:%s%s, xrefs: 00ED3724
Error: , xrefs: 00ED36EF
Line %d (File "%s"):, xrefs: 00ED366B

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 263893f4a13c444ee6f7e44a833a3842e39c43bab493ba76afc80823e3aea81b
Instruction ID: 73410c6f584134dde55fc1b4503d90975eedd7737086257ee143b262c8df9473
Opcode Fuzzy Hash: 263893f4a13c444ee6f7e44a833a3842e39c43bab493ba76afc80823e3aea81b
Instruction Fuzzy Hash: F051C271840209BBCF14EBA0ED42EEEBBB8EF14350F146126F105721A2DB315B99DF61

Function 00EF8B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E79BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E79BB2

Part of subcall function 00E7912D: GetCursorPos.USER32(?), ref: 00E79141
Part of subcall function 00E7912D: ScreenToClient.USER32(00000000,?), ref: 00E7915E
Part of subcall function 00E7912D: GetAsyncKeyState.USER32(00000001), ref: 00E79183
Part of subcall function 00E7912D: GetAsyncKeyState.USER32(00000002), ref: 00E7919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00EF8B6B
ImageList_EndDrag.COMCTL32 ref: 00EF8B71
ReleaseCapture.USER32 ref: 00EF8B77
SetWindowTextW.USER32(?,00000000), ref: 00EF8C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00EF8C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00EF8CFF

Strings

@GUI_DRAGFILE, xrefs: 00EF8C9A
@GUI_DROPID, xrefs: 00EF8C51

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: e90e4002b32835fa3438dd4361393838188afa1ed32554b49209178ee4d96f68
Instruction ID: f0bf15b105237cf72d0dc568abc25f868bf061890c82f03323b6350a1f4b105b
Opcode Fuzzy Hash: e90e4002b32835fa3438dd4361393838188afa1ed32554b49209178ee4d96f68
Instruction Fuzzy Hash: 2F51BE70205308AFD704DF10DD56BBAB7E4FB88754F50162DFA56A72E2CB709904CB62

Function 00EDC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00EDC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00EDC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00EDC2CA
GetLastError.KERNEL32 ref: 00EDC322
SetEvent.KERNEL32(?), ref: 00EDC336
InternetCloseHandle.WININET(00000000), ref: 00EDC341

Strings

, xrefs: 00EDC2BB

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 6a66612165b8fadcf7c0f17f6e7614fb9850b01d796262b02f229dbd0779885c
Instruction ID: 0510e5ba1e1c0f43df988666e96793a8b7089dc96fab58fc81526fb2a89db498
Opcode Fuzzy Hash: 6a66612165b8fadcf7c0f17f6e7614fb9850b01d796262b02f229dbd0779885c
Instruction Fuzzy Hash: 16318DB1600609AFD7219F658D88ABB7BFCEB49784B30951FF446A2350DB30DD0ADB60

Function 00EC989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00EA3AAF,?,?,Bad directive syntax error,00EFCC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00EC98BC
LoadStringW.USER32(00000000,?,00EA3AAF,?), ref: 00EC98C3

Part of subcall function 00E69CB3: _wcslen.LIBCMT ref: 00E69CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00EC9987

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 00EC98F1
Error: , xrefs: 00EC9955
Line %d:, xrefs: 00EC9912
., xrefs: 00EC996D
Line %d (File "%s"):, xrefs: 00EC992D

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: a450229681c8fafdf5d85fbc7a2c9538be02ff3be4039ff15913478d1ecad901
Instruction ID: e1c711ec29c8c3311100909aea47f1d45e485bba593ae945d7f2ea39d20ee197
Opcode Fuzzy Hash: a450229681c8fafdf5d85fbc7a2c9538be02ff3be4039ff15913478d1ecad901
Instruction Fuzzy Hash: FA217E3188021EABCF15EF90DD0AEFE77B9BF18740F046469F515760A2EB31AA18DB11

Function 00EC209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00EC20AB
GetClassNameW.USER32(00000000,?,00000100), ref: 00EC20C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00EC214D

Strings

details, xrefs: 00EC20FB
largeicons, xrefs: 00EC20E1
smallicons, xrefs: 00EC2115
SHELLDLL_DefView, xrefs: 00EC20CC
list, xrefs: 00EC212F

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 6be9eb1c254d7d8d640b15c2e6c6e013fce93edea9149ef460bcd554fa379193
Instruction ID: fa543a60aa56d36342ed7531562266276cd641c6702b655b06a032e4ac2be0c9
Opcode Fuzzy Hash: 6be9eb1c254d7d8d640b15c2e6c6e013fce93edea9149ef460bcd554fa379193
Instruction Fuzzy Hash: 1611E776688717B9F6052620AD06EE6379CCB04B24B20206EFB08B50E1FE7298066A15

Function 00E9CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00E9CEB7
_free.LIBCMT ref: 00E9CF22
_free.LIBCMT ref: 00E9CF48
_free.LIBCMT ref: 00E9CF71
_free.LIBCMT ref: 00E9CFA9
_free.LIBCMT ref: 00E9CFDA
_free.LIBCMT ref: 00E9D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00E9D09C
_free.LIBCMT ref: 00E9D0B5

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 9c80f465f2d0060c0be5bbe8d1e6d082621a786a86fefacfac3f8ecf02b55b1a
Instruction ID: ea125274322296895b425c43b5f70c17fc2dbba26f17759371dea81f2f11df13
Opcode Fuzzy Hash: 9c80f465f2d0060c0be5bbe8d1e6d082621a786a86fefacfac3f8ecf02b55b1a
Instruction Fuzzy Hash: D8617871A04314AFDF21BFB49C91AA97BE6EF05364F24116EF909B7281DB319D018790

Function 00EF50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00EF5186
ShowWindow.USER32(?,00000000), ref: 00EF51C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 00EF51CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 00EF51D1

Part of subcall function 00EF6FBA: DeleteObject.GDI32(00000000), ref: 00EF6FE6

GetWindowLongW.USER32(?,000000F0), ref: 00EF520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00EF521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00EF524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00EF5287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00EF5296

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 5e666bd0744f72d7fa61f42d14bece35ac8b05551d8ab8e3718e53ffcee3423a
Instruction ID: 266e186d620eabfbb96cefd4f2528ce61c8aa131dc6a4803e8a25b6b3019c20a
Opcode Fuzzy Hash: 5e666bd0744f72d7fa61f42d14bece35ac8b05551d8ab8e3718e53ffcee3423a
Instruction Fuzzy Hash: 6D518232A41A0CBEEF249F24CC45BF83BB5AF15325F246212F719B62E1C375A944DB41

Function 00E78B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00EB6890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00EB68A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00EB68B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00EB68D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00EB68F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00E78874,00000000,00000000,00000000,000000FF,00000000), ref: 00EB6901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00EB691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00E78874,00000000,00000000,00000000,000000FF,00000000), ref: 00EB692D

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 8adc81a9f172bf1ddf5329e679b8bdc5e3b941c6b3d270b1c1d17e12dba6e489
Instruction ID: 05172463764e742ec7e5c4563b915b65496285703c3dd4235471530ae809a378
Opcode Fuzzy Hash: 8adc81a9f172bf1ddf5329e679b8bdc5e3b941c6b3d270b1c1d17e12dba6e489
Instruction Fuzzy Hash: 3751BC74600209EFDB20CF25CD55FAA7BB5FF98764F209518F90AA72A0DB70E950DB40

Function 00EDC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00EDC182
GetLastError.KERNEL32 ref: 00EDC195
SetEvent.KERNEL32(?), ref: 00EDC1A9

Part of subcall function 00EDC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00EDC272
Part of subcall function 00EDC253: GetLastError.KERNEL32 ref: 00EDC322
Part of subcall function 00EDC253: SetEvent.KERNEL32(?), ref: 00EDC336
Part of subcall function 00EDC253: InternetCloseHandle.WININET(00000000), ref: 00EDC341

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: ca1742675156ff5ceba820cca9e21467021e929d0454e647eb6314446ca31d01
Instruction ID: d1ac295deeead0a9b2ff85bcfd127c4a22f2ce8ecd1d4fb5656cbdd1ec1ef7e6
Opcode Fuzzy Hash: ca1742675156ff5ceba820cca9e21467021e929d0454e647eb6314446ca31d01
Instruction Fuzzy Hash: CC31A071201A06AFDB219FB5DD44AB6BBF8FF58384B30541EF956A2720D730E816DB60

Function 00EC25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00EC3A57
Part of subcall function 00EC3A3D: GetCurrentThreadId.KERNEL32 ref: 00EC3A5E
Part of subcall function 00EC3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00EC25B3), ref: 00EC3A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 00EC25BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00EC25DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00EC25DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 00EC25E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00EC2601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00EC2605
MapVirtualKeyW.USER32(00000025,00000000), ref: 00EC260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00EC2623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00EC2627

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: cd7e3a21ec67723eccd1c5ed814e11a2cbee7ceabf42f8e29df171ae716a42a7
Instruction ID: 34ce8476cd8e9c07fddf6c778e740af58c91c8c6972bed9dfccdde2c61b17304
Opcode Fuzzy Hash: cd7e3a21ec67723eccd1c5ed814e11a2cbee7ceabf42f8e29df171ae716a42a7
Instruction Fuzzy Hash: BC01D830394214BBFB1067699C8AF697FA9DF8EB11F701005F314BE1D1C9F25459CA6A

Function 00EC1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00EC1449,?,?,00000000), ref: 00EC180C
HeapAlloc.KERNEL32(00000000,?,00EC1449,?,?,00000000), ref: 00EC1813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00EC1449,?,?,00000000), ref: 00EC1828
GetCurrentProcess.KERNEL32(?,00000000,?,00EC1449,?,?,00000000), ref: 00EC1830
DuplicateHandle.KERNEL32(00000000,?,00EC1449,?,?,00000000), ref: 00EC1833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00EC1449,?,?,00000000), ref: 00EC1843
GetCurrentProcess.KERNEL32(00EC1449,00000000,?,00EC1449,?,?,00000000), ref: 00EC184B
DuplicateHandle.KERNEL32(00000000,?,00EC1449,?,?,00000000), ref: 00EC184E
CreateThread.KERNEL32(00000000,00000000,00EC1874,00000000,00000000,00000000), ref: 00EC1868

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 2d214299d5cfad202b52f48b9a3e3fb451b90111d0f5a709dca0c0f038d52f29
Instruction ID: dffa5d2f6aef0419b2b1a3f4dd0eb75961c520ecd22645cab2857f3a5201e102
Opcode Fuzzy Hash: 2d214299d5cfad202b52f48b9a3e3fb451b90111d0f5a709dca0c0f038d52f29
Instruction Fuzzy Hash: 4A01C275241308BFE710AF75DD4DF673B6CEB89B11F604451FA05EB192C6719814DB60

Function 00E93E80 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00E93F0B
__alldvrm.LIBCMT ref: 00E9410C
__alldvrm.LIBCMT ref: 00E9412E

Strings

}}, xrefs: 00E940CD
}}, xrefs: 00E93E8A
}}, xrefs: 00E93E96, 00E93EF1, 00E93F0A, 00E94090

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID: }}$}}$}}
API String ID: 1036877536-1495402609
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: bfe25145c75e5eaa18489f7f81ec8506ae5037b3839af7528ab921ed679d6ee0
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: CEA167B2E003869FDF25CF28C881BEEBBE5EF65354F1451ADE585BB281C2349982C751

Function 00EEA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00ECD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00ECD501
Part of subcall function 00ECD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00ECD50F
Part of subcall function 00ECD4DC: CloseHandle.KERNELBASE(00000000), ref: 00ECD5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00EEA16D
GetLastError.KERNEL32 ref: 00EEA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00EEA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 00EEA268
GetLastError.KERNEL32(00000000), ref: 00EEA273
CloseHandle.KERNEL32(00000000), ref: 00EEA2C4

Strings

SeDebugPrivilege, xrefs: 00EEA18F

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 937924ab0aa756a7cce3a35a172e9505fbc083380c6d348c62eef262b258516d
Instruction ID: 5c0754c90cdf511407b0c6b1563357fe2ea904e380170711d4222a44fcc092a5
Opcode Fuzzy Hash: 937924ab0aa756a7cce3a35a172e9505fbc083380c6d348c62eef262b258516d
Instruction Fuzzy Hash: 8661BE702052829FD710DF16C494F25BBE1AF44318F28949CE566AB7A3C772FC49CB92

Function 00EF3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00EF3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00EF393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00EF3954
_wcslen.LIBCMT ref: 00EF3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 00EF39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00EF39F4

Strings

SysListView32, xrefs: 00EF38F7

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: afe0000e2d906ab0b391a97127369cecde7f9ec2052ca8e2b351cd395a4f92c5
Instruction ID: 6adfe5ec6962de130669e661a77559fb457e68b310b07b8dc5ef4884d06826bb
Opcode Fuzzy Hash: afe0000e2d906ab0b391a97127369cecde7f9ec2052ca8e2b351cd395a4f92c5
Instruction Fuzzy Hash: C541B271A0021DABDF219F64CC45BFA77A9EF48354F201526FA58F7281D7B1D984CB90

Function 00ECBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00ECBCFD
IsMenu.USER32(00000000), ref: 00ECBD1D
CreatePopupMenu.USER32 ref: 00ECBD53
GetMenuItemCount.USER32(01635A98), ref: 00ECBDA4
InsertMenuItemW.USER32(01635A98,?,00000001,00000030), ref: 00ECBDCC

Strings

0, xrefs: 00ECBCA8
2, xrefs: 00ECBD37

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: ba7c9d3df044c409a63c9b814c0e3706a66adbecd64f245c6e9d9269e2d38480
Instruction ID: fd4852b427ff14d8685897f0963d6f0882615b33a12f1cc849fca79db201157d
Opcode Fuzzy Hash: ba7c9d3df044c409a63c9b814c0e3706a66adbecd64f245c6e9d9269e2d38480
Instruction Fuzzy Hash: 2651AE70A003099BDB10CFA9DA86FAEBFF8AF85318F24515DE402F7290D7729946CB51

Function 00E82D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00E82D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00E82D53
_ValidateLocalCookies.LIBCMT ref: 00E82DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00E82E0C
_ValidateLocalCookies.LIBCMT ref: 00E82E61

Strings

&H, xrefs: 00E82DFE, 00E82E07, 00E82E18
csm, xrefs: 00E82DF6

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &H$csm
API String ID: 1170836740-1242228090
Opcode ID: a2d2aeb984bc61e78bd82160df27def4fe2df01e9bde2ebd465e304c4a4854c7
Instruction ID: 1906d687d6c23007b16a98a9a678e6883e7512a9eafd409c3125e8b1c001a1de
Opcode Fuzzy Hash: a2d2aeb984bc61e78bd82160df27def4fe2df01e9bde2ebd465e304c4a4854c7
Instruction Fuzzy Hash: 8C419434A002099BCF14EF68C845A9EBFF5BF44318F149159E91DBB392D731AA05CBD1

Function 00ECC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00ECC913

Strings

info, xrefs: 00ECC8B4
question, xrefs: 00ECC8CC
blank, xrefs: 00ECC895
warning, xrefs: 00ECC8FC
stop, xrefs: 00ECC8E4

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 420a58f45bd4b484dcdbbcbae1081c27167e05b087ee35ab8431fee01fd61a78
Instruction ID: 273edc55029bdf55dad7c05354f198f9cb6879ab809365665adbfc34ea8a1c94
Opcode Fuzzy Hash: 420a58f45bd4b484dcdbbcbae1081c27167e05b087ee35ab8431fee01fd61a78
Instruction Fuzzy Hash: FA112E32689317BEA704A714AD82EEB67DCDF55358B30102EF50CF52C1E772AD025365

Function 00ECDE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00ECDE42
gethostname.WSOCK32(?,00000100), ref: 00ECDE5C
gethostbyname.WSOCK32(?), ref: 00ECDE69
inet_ntoa.WSOCK32(?), ref: 00ECDEAB
_strcat.LIBCMT ref: 00ECDEB9
WSACleanup.WSOCK32 ref: 00ECDEDE

Strings

0.0.0.0, xrefs: 00ECDE87

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 67cb450092d94900b192a838411439185452a94d9df95ac469f53791169d6d39
Instruction ID: 7daf12d1fbd22e595eb88c3e1e76ba08416e5307223476304c7fcd825f1dbd22
Opcode Fuzzy Hash: 67cb450092d94900b192a838411439185452a94d9df95ac469f53791169d6d39
Instruction Fuzzy Hash: 52110271808109AFCB20BB209E0AEEA77ACDB54314F20117AF00DB6091EF728A86CB50

Function 00EF9F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E79BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E79BB2

GetSystemMetrics.USER32(0000000F), ref: 00EF9FC7
GetSystemMetrics.USER32(0000000F), ref: 00EF9FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00EFA224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00EFA242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00EFA263
ShowWindow.USER32(00000003,00000000), ref: 00EFA282
InvalidateRect.USER32(?,00000000,00000001), ref: 00EFA2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 00EFA2CA

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: a206fc67abec34840d1dc8d2abc5e566b6f517bacfbb5b0dda154ce11d24d5cf
Instruction ID: baac4a50ebc38aebed7345ddcfcb6d1085a71bfc8bedceb6e8bf5c75fc7ce0e0
Opcode Fuzzy Hash: a206fc67abec34840d1dc8d2abc5e566b6f517bacfbb5b0dda154ce11d24d5cf
Instruction Fuzzy Hash: 65B1B9B1600219DFDF14CF68C9847BA3BB2BF44705F19907AEE89AF295D731AA40CB51

Function 00ECED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00ECED2A
_wcslen.LIBCMT ref: 00ECED3B
_wcslen.LIBCMT ref: 00ECED79
_wcslen.LIBCMT ref: 00ECEDAF
_wcslen.LIBCMT ref: 00ECEDDF
_wcslen.LIBCMT ref: 00ECEDEF
_wcslen.LIBCMT ref: 00ECEE2B
_wcslen.LIBCMT ref: 00ECEE5A

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: a1747db5d5547bb787c000de6e5d8fc0bca37a8bb2193813b5959fb3a64127a7
Instruction ID: 9597a1353c39f1b471002c0f4c88f858265cbd2e193456e56e732962152ee121
Opcode Fuzzy Hash: a1747db5d5547bb787c000de6e5d8fc0bca37a8bb2193813b5959fb3a64127a7
Instruction Fuzzy Hash: AF417E65C1021966CB21FBB48C8AACFB7E8EF45710F50A466E51CF3262EB34E255C3A5

Function 00E7F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00EB682C,00000004,00000000,00000000), ref: 00E7F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00EB682C,00000004,00000000,00000000), ref: 00EBF3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00EB682C,00000004,00000000,00000000), ref: 00EBF454

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: e9c0edcdcb338c1211856c0f41b51cdc75354e3924bf2abe04d9bbfb9e554244
Instruction ID: 0d810ac0f22005ffdcbfb031569431891e02555cda9dc15d93b41deabe6ec3d4
Opcode Fuzzy Hash: e9c0edcdcb338c1211856c0f41b51cdc75354e3924bf2abe04d9bbfb9e554244
Instruction Fuzzy Hash: 07412B31508680BEC7349B6D8D887BB7BE2ABD5318F24E03DE25F76561D671D884CB11

Function 00EF2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00EF2D1B
GetDC.USER32(00000000), ref: 00EF2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00EF2D2E
ReleaseDC.USER32(00000000,00000000), ref: 00EF2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00EF2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00EF2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00EF5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00EF2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00EF2DE1

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 595770cdaf00baec60147133031dfae2fab83625943a182a257c3d8820f2a7f1
Instruction ID: d093a6348e5516e1bf6d9f0d30070e282cc01860cf12d397f02d2b6b9736dce8
Opcode Fuzzy Hash: 595770cdaf00baec60147133031dfae2fab83625943a182a257c3d8820f2a7f1
Instruction Fuzzy Hash: A6319872201218AFEB208F11CC8AFBB3BA9EB49715F244055FF08EA291C6758845CBA1

Function 00EC5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00EC5637
_memcmp.LIBVCRUNTIME ref: 00EC5659
_memcmp.LIBVCRUNTIME ref: 00EC5671
_memcmp.LIBVCRUNTIME ref: 00EC5684
_memcmp.LIBVCRUNTIME ref: 00EC569E
_memcmp.LIBVCRUNTIME ref: 00EC56B1
_memcmp.LIBVCRUNTIME ref: 00EC56C9
_memcmp.LIBVCRUNTIME ref: 00EC56E4

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: b37d69ee2572b8182082392133d8d6fa8ff8ad6d41158a870c6eab6e9cb8e08f
Instruction ID: 771a42eafc265e784f044350f5b991ae323ccaec9e99bb02b8bc681c52276819
Opcode Fuzzy Hash: b37d69ee2572b8182082392133d8d6fa8ff8ad6d41158a870c6eab6e9cb8e08f
Instruction Fuzzy Hash: BE21AA63640B1977D61465108F82FFA739CAF11388F542029FE0C7A541F722FD9382A9

Function 00EE4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00EE5007
NULL Pointer assignment, xrefs: 00EE502E, 00EE5383

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: eef0f497b1641d46aabdcb77b4809543749e1393d3cc2fb8c404137f8c127924
Instruction ID: 9d4693819ab57eeb302abe85a689295d9b5b5bd0baa32d63b358ec1c3dc2b9f6
Opcode Fuzzy Hash: eef0f497b1641d46aabdcb77b4809543749e1393d3cc2fb8c404137f8c127924
Instruction Fuzzy Hash: 27D1B072A0064E9FDF10CFA9C881BAEB7B5BF48358F149069E915BB281E770DD45CB90

Function 00EA1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00EA17FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 00EA15CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00EA17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00EA1651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00EA17FB,?,00EA17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00EA16E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00EA17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00EA16FB

Part of subcall function 00E93820: RtlAllocateHeap.NTDLL(00000000,?,00F31444,?,00E7FDF5,?,?,00E6A976,00000010,00F31440,00E613FC,?,00E613C6,?,00E61129), ref: 00E93852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00EA17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00EA1777
__freea.LIBCMT ref: 00EA17A2
__freea.LIBCMT ref: 00EA17AE

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 7e4ed822ca9c5a7e5012e2c9bf7bd0917f181f96246504446be69ac82c3a1985
Instruction ID: ef40a0fef5eb6ba84278eb0a1bd4462256d6ec665568a9f69b7cebb4d266ac4d
Opcode Fuzzy Hash: 7e4ed822ca9c5a7e5012e2c9bf7bd0917f181f96246504446be69ac82c3a1985
Instruction Fuzzy Hash: F091A371E002169ADF248E74C881AEE7BF5AF8F714F186599F801FB181D725ED44CB60

Function 00EE4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00EE4648
VariantInit.OLEAUT32(?), ref: 00EE4749
VariantClear.OLEAUT32(?), ref: 00EE4753
VariantClear.OLEAUT32(?), ref: 00EE47B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00EE472C
Null Object assignment in FOR..IN loop, xrefs: 00EE45D8, 00EE4706, 00EE47BE

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 711afea7e3a154cd2afd620733af8fdc068e9e5fff5a012990181585f9ea01a2
Instruction ID: c74589dcd5cf62b9e061c9f43543685c1e1193cd4eab88ec19ce05f83eac0417
Opcode Fuzzy Hash: 711afea7e3a154cd2afd620733af8fdc068e9e5fff5a012990181585f9ea01a2
Instruction Fuzzy Hash: 4D91B2B1A00259AFDF20CFA6D844FAEBBB8EF46714F10955AF505BB280D7709945CFA0

Function 00ED1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00ED125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00ED1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00ED12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00ED12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00ED135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00ED13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00ED1430

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 73b14132b8383641aba214a00b0ac7e4cf29ba14fbcf29f4e206100b9a201b54
Instruction ID: a3550bdf2126fa44a298ab9475540aa685e473475e3107ece826d149480e1766
Opcode Fuzzy Hash: 73b14132b8383641aba214a00b0ac7e4cf29ba14fbcf29f4e206100b9a201b54
Instruction Fuzzy Hash: 6891BF71A00218AFDB009F98C884BBEB7B5FF45315F24606AE950FB3A1D775A946CB90

Function 00E7948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: ca463150d3d86d51c543fc0de6d62fa25f927720636dcaa6f61c69ebe86b36a4
Instruction ID: 703728c5a3a5b4fc36686e69cfe15e041339132315d92fcc37e084448aabe1bb
Opcode Fuzzy Hash: ca463150d3d86d51c543fc0de6d62fa25f927720636dcaa6f61c69ebe86b36a4
Instruction Fuzzy Hash: 07914971D00219EFCB10CFA9CC84AEEBBB8FF89324F249155E515B7252D774A942CB60

Function 00EE3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00EE396B
CharUpperBuffW.USER32(?,?), ref: 00EE3A7A
_wcslen.LIBCMT ref: 00EE3A8A
VariantClear.OLEAUT32(?), ref: 00EE3C1F

Part of subcall function 00ED0CDF: VariantInit.OLEAUT32(00000000), ref: 00ED0D1F
Part of subcall function 00ED0CDF: VariantCopy.OLEAUT32(?,?), ref: 00ED0D28
Part of subcall function 00ED0CDF: VariantClear.OLEAUT32(?), ref: 00ED0D34

Strings

AUTOIT.ERROR, xrefs: 00EE3A80, 00EE3A85
Incorrect Parameter format, xrefs: 00EE39A6, 00EE3BA1

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: aa970458f11e6d6f8f48a8a419f01df10b0892b5d78908045d0b480a2776be84
Instruction ID: 9b3c23634c753df715a6d1f27eb241fa137df2265b2f6ec2e11cddfc4a6c48e7
Opcode Fuzzy Hash: aa970458f11e6d6f8f48a8a419f01df10b0892b5d78908045d0b480a2776be84
Instruction Fuzzy Hash: 7E919D746083459FC704EF25C48496AB7E5FF88318F14986EF88AA7351DB31EE45CB92

Function 00EE4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00EC000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00EBFF41,80070057,?,?,?,00EC035E), ref: 00EC002B
Part of subcall function 00EC000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00EBFF41,80070057,?,?), ref: 00EC0046
Part of subcall function 00EC000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00EBFF41,80070057,?,?), ref: 00EC0054
Part of subcall function 00EC000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00EBFF41,80070057,?), ref: 00EC0064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00EE4C51
_wcslen.LIBCMT ref: 00EE4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00EE4DCF
CoTaskMemFree.OLE32(?), ref: 00EE4DDA

Strings

NULL Pointer assignment, xrefs: 00EE4E23, 00EE4E52

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 768a8689a5500f8e37728572483f6e4a98121913c9d50408f1e3e98e72fc0973
Instruction ID: 6426916c3d04c87654c50986f4010fc6d75a9217aaf14d68faec031df9da14c3
Opcode Fuzzy Hash: 768a8689a5500f8e37728572483f6e4a98121913c9d50408f1e3e98e72fc0973
Instruction Fuzzy Hash: 819148B1D0025D9FDF14DFA5D881AEEB7B8BF08314F205169E915BB291DB305A45CF60

Function 00EF20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00EF2183
GetMenuItemCount.USER32(00000000), ref: 00EF21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00EF21DD
_wcslen.LIBCMT ref: 00EF2213
GetMenuItemID.USER32(?,?), ref: 00EF224D
GetSubMenu.USER32(?,?), ref: 00EF225B

Part of subcall function 00EC3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00EC3A57
Part of subcall function 00EC3A3D: GetCurrentThreadId.KERNEL32 ref: 00EC3A5E
Part of subcall function 00EC3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00EC25B3), ref: 00EC3A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00EF22E3

Part of subcall function 00ECE97B: Sleep.KERNEL32 ref: 00ECE9F3

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: c5a726d9e427b63452fa42bbb042c3d469a4f8280820b4fcab84ab7448a85ac8
Instruction ID: 7ff58647eb638ace7b33bab3969530d3209a3430521c18e412fe651a16265858
Opcode Fuzzy Hash: c5a726d9e427b63452fa42bbb042c3d469a4f8280820b4fcab84ab7448a85ac8
Instruction Fuzzy Hash: 1B718C75A00209AFCB10DFA4C841ABEB7F1EF88314F249459EA56BB351DB34AD418B90

Function 00EF7E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(016359F8), ref: 00EF7F37
IsWindowEnabled.USER32(016359F8), ref: 00EF7F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00EF801E
SendMessageW.USER32(016359F8,000000B0,?,?), ref: 00EF8051
IsDlgButtonChecked.USER32(?,?), ref: 00EF8089
GetWindowLongW.USER32(016359F8,000000EC), ref: 00EF80AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00EF80C3

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 4a24010110f85835300d2c06a635530c5b48c114e4433e49f57d0963d373c1d8
Instruction ID: 0623410c3575b18af8d4efebc1037f3df409967bcd4b3eb59161f9ec270b39ee
Opcode Fuzzy Hash: 4a24010110f85835300d2c06a635530c5b48c114e4433e49f57d0963d373c1d8
Instruction Fuzzy Hash: 2B719E3560820CAFEB219F64C984FFA7BB9FF49304F245499EA85B7261CB31A845DB10

Function 00ECAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00ECAEF9
GetKeyboardState.USER32(?), ref: 00ECAF0E
SetKeyboardState.USER32(?), ref: 00ECAF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 00ECAF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 00ECAFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 00ECAFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00ECB020

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 3c2a704f09cdff2d59e472424f59d0113bee84f8be97e92b3f77d451ba37453c
Instruction ID: 7505b1f416d15e16d7e6e7e73c117772cc92a63b291caae42ba58a710fcf32e6
Opcode Fuzzy Hash: 3c2a704f09cdff2d59e472424f59d0113bee84f8be97e92b3f77d451ba37453c
Instruction Fuzzy Hash: 6F51D1A06043D93DFB364234C946FBA7EE95B06308F0C949DE1D5A54C2C3AAA8CAD752

Function 00ECACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00ECAD19
GetKeyboardState.USER32(?), ref: 00ECAD2E
SetKeyboardState.USER32(?), ref: 00ECAD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00ECADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00ECADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00ECAE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00ECAE38

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 0f83c8cabe86367269bb6cb0eaf758f56b2a3a7df04f13b44de9ea18c284c88c
Instruction ID: dc3df3d51e82030471dcf703e1f8c561cdef9f34cd1de50e6c16b17c29fac34e
Opcode Fuzzy Hash: 0f83c8cabe86367269bb6cb0eaf758f56b2a3a7df04f13b44de9ea18c284c88c
Instruction Fuzzy Hash: CB51E5A05047D93DFB3682348D45FBA7EA85B4530CF0C949CE1D6A68C3C296ECCAD792

Function 00E9542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00EA3CD6,?,?,?,?,?,?,?,?,00E95BA3,?,?,00EA3CD6,?,?), ref: 00E95470
__fassign.LIBCMT ref: 00E954EB
__fassign.LIBCMT ref: 00E95506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00EA3CD6,00000005,00000000,00000000), ref: 00E9552C
WriteFile.KERNEL32(?,00EA3CD6,00000000,00E95BA3,00000000,?,?,?,?,?,?,?,?,?,00E95BA3,?), ref: 00E9554B
WriteFile.KERNEL32(?,?,00000001,00E95BA3,00000000,?,?,?,?,?,?,?,?,?,00E95BA3,?), ref: 00E95584

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 13ec6b41dbe737c07891dc9093c0cdb883786d449c993acb6460b97a8c990e34
Instruction ID: b4a23eaa8fd98e1904ccfacd1a5c3237db9dfaca4e34624dba93d81a9aac56f1
Opcode Fuzzy Hash: 13ec6b41dbe737c07891dc9093c0cdb883786d449c993acb6460b97a8c990e34
Instruction Fuzzy Hash: 5B51C171A006099FDF11CFA8D841AEEBBF9EF49300F25515AE555F7292D6309A41CF60

Function 00EE10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00EE307A
Part of subcall function 00EE304E: _wcslen.LIBCMT ref: 00EE309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00EE1112
WSAGetLastError.WSOCK32 ref: 00EE1121
WSAGetLastError.WSOCK32 ref: 00EE11C9
closesocket.WSOCK32(00000000), ref: 00EE11F9

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: e2fee7b216aa195e4ad52f121cb6209e36c617eb5a75472b019da131d324ea13
Instruction ID: 01862202e01e51d8d20a4d33257998d883fe6e5d8e6ed8b9ce9b529fb712c633
Opcode Fuzzy Hash: e2fee7b216aa195e4ad52f121cb6209e36c617eb5a75472b019da131d324ea13
Instruction Fuzzy Hash: 2E411631200248AFDB109F65C844BA9B7E9EF84368F249099F905BB291C770AD85CBA0

Function 00ECCF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00ECDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00ECCF22,?), ref: 00ECDDFD

Part of subcall function 00ECDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00ECCF22,?), ref: 00ECDE16

lstrcmpiW.KERNEL32(?,?), ref: 00ECCF45
MoveFileW.KERNEL32(?,?), ref: 00ECCF7F
_wcslen.LIBCMT ref: 00ECD005
_wcslen.LIBCMT ref: 00ECD01B
SHFileOperationW.SHELL32(?), ref: 00ECD061

Strings

\*.*, xrefs: 00ECCFF3

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: e72d9968e1f5fc6c480d7d8b224687781edfe59cf67bc54b8755a16cb92862c9
Instruction ID: e1fd6b46aebb625ae3762ec0b8343fd00a8187975d36570fc5e0175c61ae2b3e
Opcode Fuzzy Hash: e72d9968e1f5fc6c480d7d8b224687781edfe59cf67bc54b8755a16cb92862c9
Instruction Fuzzy Hash: 8D4184719052185EDF12EBA4DA81FDDB7F8AF48380F1410EAE509FB142EA35A649CB10

Function 00EF2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00EF2E1C
GetWindowLongW.USER32(?,000000F0), ref: 00EF2E4F
GetWindowLongW.USER32(?,000000F0), ref: 00EF2E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00EF2EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00EF2EE0
GetWindowLongW.USER32(?,000000F0), ref: 00EF2EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00EF2F0B

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: d4aec245ffe05c6c154872a732152be4acde3ca340f14375d8fd210a037d5526
Instruction ID: 1cecbc066608f13ce097cb26aa2a5a782e224155e4512f43a1b7aec3e6e120d4
Opcode Fuzzy Hash: d4aec245ffe05c6c154872a732152be4acde3ca340f14375d8fd210a037d5526
Instruction Fuzzy Hash: 043114316451489FEB228F18DD84FA537E1FB8AB24F251168FB00EF2B1CB71A844EB01

Function 00EC7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00EC7769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00EC778F
SysAllocString.OLEAUT32(00000000), ref: 00EC7792
SysAllocString.OLEAUT32(?), ref: 00EC77B0
SysFreeString.OLEAUT32(?), ref: 00EC77B9
StringFromGUID2.OLE32(?,?,00000028), ref: 00EC77DE
SysAllocString.OLEAUT32(?), ref: 00EC77EC

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 67954ca0d21c58f251672f7fa72ca61bbc5122efa575be65907769575b0f8aba
Instruction ID: 97263008ef181429e66b9369a36f5cd54163f1e02814bf0d9851480806693aee
Opcode Fuzzy Hash: 67954ca0d21c58f251672f7fa72ca61bbc5122efa575be65907769575b0f8aba
Instruction Fuzzy Hash: 4821B27660421DAFDB10DFA9DD88DBB73ACEB09364720802AF954EB150D670DC46CB64

Function 00EC77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00EC7842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00EC7868
SysAllocString.OLEAUT32(00000000), ref: 00EC786B
SysAllocString.OLEAUT32 ref: 00EC788C
SysFreeString.OLEAUT32 ref: 00EC7895
StringFromGUID2.OLE32(?,?,00000028), ref: 00EC78AF
SysAllocString.OLEAUT32(?), ref: 00EC78BD

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 6eb484ae94dbefeec1b1cf70e9b96920be4695ea1795af1729af0d17ff699086
Instruction ID: d25a2151624408391cc853a86ff0ac5b2b5ff22f3a9ee67830a1c3606d969070
Opcode Fuzzy Hash: 6eb484ae94dbefeec1b1cf70e9b96920be4695ea1795af1729af0d17ff699086
Instruction Fuzzy Hash: 8B21C732604118AFDB149FA9DD89EBA77ECEB083607208029FA54EB1A0D670DC45CB64

Function 00ED04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00ED04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00ED052E

Strings

nul, xrefs: 00ED0567

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 2d7bb1bedf95241da1242bf70871904d2c1bf19c2e427722b10086b05854eeb1
Instruction ID: d71b156a8360c3524ce621ffab63e238fd11cb9db36e8531dea28b7ef30d9c2e
Opcode Fuzzy Hash: 2d7bb1bedf95241da1242bf70871904d2c1bf19c2e427722b10086b05854eeb1
Instruction Fuzzy Hash: 7D215175500305DFDB309F29E845B9A77A4EF84728F244A1AECA1F72E0D7709955DF20

Function 00ED05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00ED05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00ED0601

Strings

nul, xrefs: 00ED0639

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 7d75950b22c1631dbc5698154abc507f2a562847df60c83cda01fec499385a54
Instruction ID: 544cf8c594a4eb0cfafb6e0ec1d4c21b97093a9111312ce40066896e829daec9
Opcode Fuzzy Hash: 7d75950b22c1631dbc5698154abc507f2a562847df60c83cda01fec499385a54
Instruction Fuzzy Hash: F6216D755002059FDB209F699804BAA77E4EF95724F341A1AE8B1F73E0D670D866CB20

Function 00EF40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E6600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00E6604C
Part of subcall function 00E6600E: GetStockObject.GDI32(00000011), ref: 00E66060
Part of subcall function 00E6600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00E6606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00EF4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00EF411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00EF412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00EF4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00EF4145

Strings

Msctls_Progress32, xrefs: 00EF40E3

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: ea825db03b69bcb0ede87ab0f80bf6e71adccde0e0ed056be5fd239903a42789
Instruction ID: fbba94df989d817b8da9026390b531720a0b0d2052bc6a4f273c4bdde8cddee4
Opcode Fuzzy Hash: ea825db03b69bcb0ede87ab0f80bf6e71adccde0e0ed056be5fd239903a42789
Instruction Fuzzy Hash: BF1190B215021DBEEF219E64CC85EF77F9DEF087A8F115110BB18A6090CB729C21DBA4

Function 00E9D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00E9D7A3: _free.LIBCMT ref: 00E9D7CC

_free.LIBCMT ref: 00E9D82D

Part of subcall function 00E929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00E9D7D1,00000000,00000000,00000000,00000000,?,00E9D7F8,00000000,00000007,00000000,?,00E9DBF5,00000000), ref: 00E929DE
Part of subcall function 00E929C8: GetLastError.KERNEL32(00000000,?,00E9D7D1,00000000,00000000,00000000,00000000,?,00E9D7F8,00000000,00000007,00000000,?,00E9DBF5,00000000,00000000), ref: 00E929F0

_free.LIBCMT ref: 00E9D838
_free.LIBCMT ref: 00E9D843
_free.LIBCMT ref: 00E9D897
_free.LIBCMT ref: 00E9D8A2
_free.LIBCMT ref: 00E9D8AD
_free.LIBCMT ref: 00E9D8B8

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 56205070649f9be39d8a1a57515a991b723a88cffbc0ba816131ea7c71b84064
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 5C111971944B14BADE21FFF0CC47FCB7BDCAF44700F40682AB29DB6492DA65B50586A0

Function 00ECDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00ECDA74
LoadStringW.USER32(00000000), ref: 00ECDA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00ECDA91
LoadStringW.USER32(00000000), ref: 00ECDA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00ECDADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00ECDAB9

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: c4c3262002de077d9e95409f9eed972e288d3780dace64140a8828f853256f1e
Instruction ID: f39c16874bdfeb51915b0dd32e84d7377edb245f36dcbe0c412eb9798bedc3e6
Opcode Fuzzy Hash: c4c3262002de077d9e95409f9eed972e288d3780dace64140a8828f853256f1e
Instruction Fuzzy Hash: 170162F250420C7FE710ABA19E89EF7726CE748701F6004A6B746F2041E6759E898F74

Function 00ED096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0162E488,0162E488), ref: 00ED097B
EnterCriticalSection.KERNEL32(0162E468,00000000), ref: 00ED098D
TerminateThread.KERNEL32(?,000001F6), ref: 00ED099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 00ED09A9
CloseHandle.KERNEL32(?), ref: 00ED09B8
InterlockedExchange.KERNEL32(0162E488,000001F6), ref: 00ED09C8
LeaveCriticalSection.KERNEL32(0162E468), ref: 00ED09CF

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 4fb3d71190ad8f7463267837f3b40d5ffa04a395f9fa3d07a731b5586d55153b
Instruction ID: 850d92a125b33ebb6e65e3976bbf46e95e644f10d394c224eda82c102e42603a
Opcode Fuzzy Hash: 4fb3d71190ad8f7463267837f3b40d5ffa04a395f9fa3d07a731b5586d55153b
Instruction Fuzzy Hash: 7AF01D31442906AFE7415B95EF88BE67A35FF81702FA42016F101A08B1C7759469DF90

Function 00EE1C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00EE1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00EE1DE1
WSAGetLastError.WSOCK32 ref: 00EE1DF2
htons.WSOCK32(?,?,?,?,?), ref: 00EE1EDB
inet_ntoa.WSOCK32(?), ref: 00EE1E8C

Part of subcall function 00EC39E8: _strlen.LIBCMT ref: 00EC39F2

Part of subcall function 00EE3224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,00EDEC0C), ref: 00EE3240

_strlen.LIBCMT ref: 00EE1F35

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 6417d10cb0a865b3e2bedc567a4a76e6214b4a5cca5ef58bc88160782ff5c4f9
Instruction ID: 2d78158cd97b716b089edbaf8986e6e378d3ecf88698cf81345dd0754e6bc943
Opcode Fuzzy Hash: 6417d10cb0a865b3e2bedc567a4a76e6214b4a5cca5ef58bc88160782ff5c4f9
Instruction Fuzzy Hash: FAB1E631204384AFC324DF25C895F6A77E5AF84318F64A58CF45A6B2E2DB31ED85CB91

Function 00E65D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00E65D30
GetWindowRect.USER32(?,?), ref: 00E65D71
ScreenToClient.USER32(?,?), ref: 00E65D99
GetClientRect.USER32(?,?), ref: 00E65ED7
GetWindowRect.USER32(?,?), ref: 00E65EF8

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 7a5713d6706b89bb84333e35b6ed4d12d4c31f09da4b00633209421a3bb039bb
Instruction ID: 4b7aca032b67583cb4b7a1c8798c99099d85fff4506efee16b269defbb335da0
Opcode Fuzzy Hash: 7a5713d6706b89bb84333e35b6ed4d12d4c31f09da4b00633209421a3bb039bb
Instruction Fuzzy Hash: 03B18C75A0074ADBDB14CFA9D4407EEB7F1FF88314F14A41AE8A9E7290D734AA51CB50

Function 00E901B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00E900BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E900D6
__allrem.LIBCMT ref: 00E900ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E9010B
__allrem.LIBCMT ref: 00E90122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E90140

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 8e4a3dd71e9d4122ed0fa8883d6f05114c0824f040099617651b1bcd6a04aeb5
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 31811672B00706AFEB24AF69CC41B6B73E9AF45728F24653EF559F6281E770E9008750

Function 00E961FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00E882D9,00E882D9,?,?,?,00E9644F,00000001,00000001,?), ref: 00E96258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00E9644F,00000001,00000001,?,?,?,?), ref: 00E962DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00E963D8
__freea.LIBCMT ref: 00E963E5

Part of subcall function 00E93820: RtlAllocateHeap.NTDLL(00000000,?,00F31444,?,00E7FDF5,?,?,00E6A976,00000010,00F31440,00E613FC,?,00E613C6,?,00E61129), ref: 00E93852

__freea.LIBCMT ref: 00E963EE
__freea.LIBCMT ref: 00E96413

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 2b55dbf9741fec7032046c476d55214a91f85a4b88ef95eb529e8a77726a5a01
Instruction ID: 5033beea37a42f12633d7eeddeea512d1485edb4ba26e9d4fe35d9de7b3281bf
Opcode Fuzzy Hash: 2b55dbf9741fec7032046c476d55214a91f85a4b88ef95eb529e8a77726a5a01
Instruction Fuzzy Hash: 0B51F372A00216AFDF268F64CC81EBF77A9EB94754F25526AFC05F6190EB34DC50C660

Function 00EEBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E69CB3: _wcslen.LIBCMT ref: 00E69CBD

Part of subcall function 00EEC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00EEB6AE,?,?), ref: 00EEC9B5
Part of subcall function 00EEC998: _wcslen.LIBCMT ref: 00EEC9F1
Part of subcall function 00EEC998: _wcslen.LIBCMT ref: 00EECA68
Part of subcall function 00EEC998: _wcslen.LIBCMT ref: 00EECA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00EEBCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00EEBD25
RegCloseKey.ADVAPI32(00000000), ref: 00EEBD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00EEBD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00EEBDF3
RegCloseKey.ADVAPI32(?), ref: 00EEBDFF

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 26efdc29e93c5944d1f71cea928a170e93a7689f93c2cc2c213564a5d8567f0d
Instruction ID: 73a2fecdf0ad29636661e35efc317ed9469633791fe565d794ac8448aec64353
Opcode Fuzzy Hash: 26efdc29e93c5944d1f71cea928a170e93a7689f93c2cc2c213564a5d8567f0d
Instruction Fuzzy Hash: 3781B030208245AFD714DF25C881E2BBBE5FF84348F24995CF459AB2A2DB31ED45CB92

Function 00EBF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 00EBF7B9
SysAllocString.OLEAUT32(00000001), ref: 00EBF860
VariantCopy.OLEAUT32(00EBFA64,00000000), ref: 00EBF889
VariantClear.OLEAUT32(00EBFA64), ref: 00EBF8AD
VariantCopy.OLEAUT32(00EBFA64,00000000), ref: 00EBF8B1
VariantClear.OLEAUT32(?), ref: 00EBF8BB

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: b97fe963017c5938c2dee5ae8de99823c9baeed9b676194605dabbe0e1c4e0a6
Instruction ID: 25e5ddcda5d5ac12ddf7dee45764540cab60d8d36e236d456fab0bf05bc4cd34
Opcode Fuzzy Hash: b97fe963017c5938c2dee5ae8de99823c9baeed9b676194605dabbe0e1c4e0a6
Instruction Fuzzy Hash: 4651A731500310BACF24ABA5DC95BAAB3E9EF85714B24B477E905FF295DB708C40CB96

Function 00ED910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00E67620: _wcslen.LIBCMT ref: 00E67625

Part of subcall function 00E66B57: _wcslen.LIBCMT ref: 00E66B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 00ED94E5
_wcslen.LIBCMT ref: 00ED9506
_wcslen.LIBCMT ref: 00ED952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00ED9585

Strings

X, xrefs: 00ED9412

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 48112d3024e6af3f70e46e051a48e8abe0e2388c6d077634e57c9fae3c50628a
Instruction ID: 77d1ebf7838ee6f02a60f71e6561c0b710e153a7613f5e761ddb9c093e8c0a79
Opcode Fuzzy Hash: 48112d3024e6af3f70e46e051a48e8abe0e2388c6d077634e57c9fae3c50628a
Instruction Fuzzy Hash: E4E1A2315083009FD724EF24D881A6AB7E4FF85354F14996EF899AB3A2DB31DD05CB92

Function 00E7920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00E79BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E79BB2

BeginPaint.USER32(?,?,?), ref: 00E79241
GetWindowRect.USER32(?,?), ref: 00E792A5
ScreenToClient.USER32(?,?), ref: 00E792C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00E792D3
EndPaint.USER32(?,?,?,?,?), ref: 00E79321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00EB71EA

Part of subcall function 00E79339: BeginPath.GDI32(00000000), ref: 00E79357

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 4a6abfaf845756f43975d142e5331d9f58f40984760042f6d2a2b7664cec7f5a
Instruction ID: 8fe7024b2abb5d9a049ea8bec5b80eb0bac612b611e9942261af09863b838613
Opcode Fuzzy Hash: 4a6abfaf845756f43975d142e5331d9f58f40984760042f6d2a2b7664cec7f5a
Instruction Fuzzy Hash: 5C41CF30109204AFD710DF25DC84FBA7BF9FF85724F104229F9A9A72A2C7319849DB61

Function 00ED07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00ED080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00ED0847
EnterCriticalSection.KERNEL32(?), ref: 00ED0863
LeaveCriticalSection.KERNEL32(?), ref: 00ED08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00ED08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00ED0921

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 2f1604db486efe9866c4b22ecd8122ebd2fbab681761dc4edc7514c046a6461f
Instruction ID: 4346a92912ffbeba493be060cc52139601ffed7c1570746c63c7b3e557e1300b
Opcode Fuzzy Hash: 2f1604db486efe9866c4b22ecd8122ebd2fbab681761dc4edc7514c046a6461f
Instruction Fuzzy Hash: F3415B71900209EFDF14AF54DC85A6A77B8FF44314F2480A9ED04AA297D730EE65DBA4

Function 00EF81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00EBF3AB,00000000,?,?,00000000,?,00EB682C,00000004,00000000,00000000), ref: 00EF824C
EnableWindow.USER32(?,00000000), ref: 00EF8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00EF82D1
ShowWindow.USER32(?,00000004), ref: 00EF82E5
EnableWindow.USER32(?,00000001), ref: 00EF830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00EF832F

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: f534d463a529a9e7f8c6654111603242c35e3b98d7758ebb9ae73e0a1ba76c5e
Instruction ID: b9fa7dc028494ada147dff06839f5ea50ab75d66c9e2a2db7d7cd589d0168b7e
Opcode Fuzzy Hash: f534d463a529a9e7f8c6654111603242c35e3b98d7758ebb9ae73e0a1ba76c5e
Instruction Fuzzy Hash: A241B73060264CEFEB11CF15CA95BF87BE1BB45718F186165E6486F2B2CB31A845CF50

Function 00EC4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00EC4C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00EC4CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00EC4CEA
_wcslen.LIBCMT ref: 00EC4D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00EC4D10
_wcsstr.LIBVCRUNTIME ref: 00EC4D1A

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 1cf780edf4a43be9927f25cf74448d9de7a6eeaf216f1320f4e3f61926af7a52
Instruction ID: 5cefb48ebf62c76b897ffe26f1c5224c1b1e4373f8127f13eda0e1a624ffd9d5
Opcode Fuzzy Hash: 1cf780edf4a43be9927f25cf74448d9de7a6eeaf216f1320f4e3f61926af7a52
Instruction Fuzzy Hash: 9E210AB12042047BEB256B259D15F7B7FD8DF45750F20902DF809EA1D1EA62CC01C361

Function 00ED581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00E63AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E63A97,?,?,00E62E7F,?,?,?,00000000), ref: 00E63AC2

_wcslen.LIBCMT ref: 00ED587B
CoInitialize.OLE32(00000000), ref: 00ED5995
CoCreateInstance.OLE32(00EFFCF8,00000000,00000001,00EFFB68,?), ref: 00ED59AE
CoUninitialize.OLE32 ref: 00ED59CC

Strings

.lnk, xrefs: 00ED5876, 00ED58C1, 00ED5985

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: ab7cd6fb888d9c1fabd43d11979e8fa65a6aa537658c7fb1f8efa32f2e0e6d15
Instruction ID: 66430bc7d75420528b64fb515cc20fa681056b9d639c4b9a336ac0cf38d981c4
Opcode Fuzzy Hash: ab7cd6fb888d9c1fabd43d11979e8fa65a6aa537658c7fb1f8efa32f2e0e6d15
Instruction Fuzzy Hash: A8D175726047019FC714DF24C49492ABBE5EF89314F14985EF88AAB361DB31EC46CB92

Function 00EC175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00EC0FCA
Part of subcall function 00EC0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00EC0FD6
Part of subcall function 00EC0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00EC0FE5
Part of subcall function 00EC0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00EC0FEC
Part of subcall function 00EC0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00EC1002

GetLengthSid.ADVAPI32(?,00000000,00EC1335), ref: 00EC17AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00EC17BA
HeapAlloc.KERNEL32(00000000), ref: 00EC17C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 00EC17DA
GetProcessHeap.KERNEL32(00000000,00000000,00EC1335), ref: 00EC17EE
HeapFree.KERNEL32(00000000), ref: 00EC17F5

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 286b176c2fabfd0ea7e6314885417103f7c2c3e0f436d2ead658193a9b70c723
Instruction ID: 0230c966f646bbc01598c48bf2bf6e8ee243ea094cd3820f643be73d3b87716d
Opcode Fuzzy Hash: 286b176c2fabfd0ea7e6314885417103f7c2c3e0f436d2ead658193a9b70c723
Instruction Fuzzy Hash: BD11AC31501208EFDB108BA4CE48FAE7BB8EF82319F20405DF441A7211C7369956CB60

Function 00EC14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00EC14FF
OpenProcessToken.ADVAPI32(00000000), ref: 00EC1506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00EC1515
CloseHandle.KERNEL32(00000004), ref: 00EC1520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00EC154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00EC1563

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 7f2f32052d5448fcba4a17bb51d7fad4e4b379d649309bfbf24e0d6833a537a3
Instruction ID: 44e64dca3ebed09f262d8d5ce80e938e35c18a5cc7c2b98e62cfe5f57a664ec0
Opcode Fuzzy Hash: 7f2f32052d5448fcba4a17bb51d7fad4e4b379d649309bfbf24e0d6833a537a3
Instruction Fuzzy Hash: 34114D7250120DAFDB118F94DE49FDE7BA9EF45748F244059FA05B2160C3728D55EB60

Function 00E83382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00E83379,00E82FE5), ref: 00E83390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00E8339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00E833B7
SetLastError.KERNEL32(00000000,?,00E83379,00E82FE5), ref: 00E83409

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: a54fa6a3b128528f2bf8d6a9615907d80213f8df00db1110763ada50ff7f87a5
Instruction ID: db5c5146c21a1548b0d06ef1b4df72bdf7a1068b7dc7fabbe06771d01c7caab3
Opcode Fuzzy Hash: a54fa6a3b128528f2bf8d6a9615907d80213f8df00db1110763ada50ff7f87a5
Instruction Fuzzy Hash: 42012832609315BEAA2477787C8596A2ED4EB05F793302229F42CF01F0EF114E0663C4

Function 00E92D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00E95686,00EA3CD6,?,00000000,?,00E95B6A,?,?,?,?,?,00E8E6D1,?,00F28A48), ref: 00E92D78
_free.LIBCMT ref: 00E92DAB
_free.LIBCMT ref: 00E92DD3
SetLastError.KERNEL32(00000000,?,?,?,?,00E8E6D1,?,00F28A48,00000010,00E64F4A,?,?,00000000,00EA3CD6), ref: 00E92DE0
SetLastError.KERNEL32(00000000,?,?,?,?,00E8E6D1,?,00F28A48,00000010,00E64F4A,?,?,00000000,00EA3CD6), ref: 00E92DEC
_abort.LIBCMT ref: 00E92DF2

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: fee850885b24ecf65c04f8e0635cb4077c8c0b0c8115761cb9c732b6b174e1b2
Instruction ID: ec3211c45cdba0379f626e9c2a0cf42e1429e5f616d4797e53ccb57f26e18a34
Opcode Fuzzy Hash: fee850885b24ecf65c04f8e0635cb4077c8c0b0c8115761cb9c732b6b174e1b2
Instruction Fuzzy Hash: D7F0C8355056003BCE226735BC06E6F25D9AFC17A5F35241DFA24F21E2EF24880251A0

Function 00EF8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00E79639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00E79693
Part of subcall function 00E79639: SelectObject.GDI32(?,00000000), ref: 00E796A2
Part of subcall function 00E79639: BeginPath.GDI32(?), ref: 00E796B9
Part of subcall function 00E79639: SelectObject.GDI32(?,00000000), ref: 00E796E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00EF8A4E
LineTo.GDI32(?,00000003,00000000), ref: 00EF8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00EF8A70
LineTo.GDI32(?,00000000,00000003), ref: 00EF8A80
EndPath.GDI32(?), ref: 00EF8A90
StrokePath.GDI32(?), ref: 00EF8AA0

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 42d0cf64246a0336a445803709aa3df3d81f76e4d078400f80a7e76b801b8d40
Instruction ID: ae2789ac4bde8edc3c8bdf94c7deae8832d9284673a9b7a3812c25d324d675bd
Opcode Fuzzy Hash: 42d0cf64246a0336a445803709aa3df3d81f76e4d078400f80a7e76b801b8d40
Instruction Fuzzy Hash: F211097600010DFFDB129F91DD88EAA7F6DEB08364F108052BA19AA1A1DB719D55DBA0

Function 00EC51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00EC5218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00EC5229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00EC5230
ReleaseDC.USER32(00000000,00000000), ref: 00EC5238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00EC524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00EC5261

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: b97b6ac9a73e94fc435772f59a716f6420fd3976f3da788954228632d0224589
Instruction ID: c35134e0fa0e7c5e4dcc04761e7141cad904fc37064ec9767ef3d8bd43b9e095
Opcode Fuzzy Hash: b97b6ac9a73e94fc435772f59a716f6420fd3976f3da788954228632d0224589
Instruction Fuzzy Hash: 0C018475A00708BFEB105BA69D49F5EBFB8EB44751F244065FA04F7390DA709805CBA0

Function 00E61BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00E61BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00E61BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00E61C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00E61C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00E61C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00E61C22

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: cf392c8bc69ecd161bd88bf27caa2ca3008411dcbcd3231cf8d6a230bc361bb3
Instruction ID: 222a4970a7780f0ee1adf1c4a14cf20ffecac5a339b4b7d6ada94182b02af4ef
Opcode Fuzzy Hash: cf392c8bc69ecd161bd88bf27caa2ca3008411dcbcd3231cf8d6a230bc361bb3
Instruction Fuzzy Hash: 6F016CB09027597DE3008F5A8C85B52FFA8FF59754F10411B915C47941C7F5A868CBE5

Function 00ECEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00ECEB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00ECEB46
GetWindowThreadProcessId.USER32(?,?), ref: 00ECEB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00ECEB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00ECEB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00ECEB75

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 557f7a6313909e2ee91d0b33a245f10ba27183ea729ed56acb1e6651a219db2d
Instruction ID: 388bc0e0509296394fc5f3cc5e3ccb6cd2fec27eefe976956f324d2a85ecb6d9
Opcode Fuzzy Hash: 557f7a6313909e2ee91d0b33a245f10ba27183ea729ed56acb1e6651a219db2d
Instruction Fuzzy Hash: 95F06772201118BFE7205B639E0EEFB3A7CEFCAF11F200158F601E1090AAA01A05C6B5

Function 00EB7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00EB7452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00EB7469
GetWindowDC.USER32(?), ref: 00EB7475
GetPixel.GDI32(00000000,?,?), ref: 00EB7484
ReleaseDC.USER32(?,00000000), ref: 00EB7496
GetSysColor.USER32(00000005), ref: 00EB74B0

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: f87be6edc01ad24b4d72383fd07d83fbe9e8c0a8c7027b0b9629673a262a05a0
Instruction ID: 1cfbd4b5201941e33afd921ad84c31c07a3e6b0a79d6ed83b2407c6e8f885264
Opcode Fuzzy Hash: f87be6edc01ad24b4d72383fd07d83fbe9e8c0a8c7027b0b9629673a262a05a0
Instruction Fuzzy Hash: 68017431404219EFEB105FA5DE08BFA7BB6FB84322F314060F92AB21A1CB311E55EB51

Function 00EC1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00EC187F
UnloadUserProfile.USERENV(?,?), ref: 00EC188B
CloseHandle.KERNEL32(?), ref: 00EC1894
CloseHandle.KERNEL32(?), ref: 00EC189C
GetProcessHeap.KERNEL32(00000000,?), ref: 00EC18A5
HeapFree.KERNEL32(00000000), ref: 00EC18AC

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 46b001cfd96797740dc5dd23c5582dee587d73a01a10abf3ab285571c5596507
Instruction ID: 1951220b9ce44bcd5541faf3e98baaaac40dfb259e8059f41503bef663ffd1c9
Opcode Fuzzy Hash: 46b001cfd96797740dc5dd23c5582dee587d73a01a10abf3ab285571c5596507
Instruction Fuzzy Hash: D6E0C936005109BFD6015BA2EE0CD15BF39FF897217708221F225A1071CB325474EB50

Function 00EE7B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00E80242: EnterCriticalSection.KERNEL32(00F3070C,00F31884,?,?,00E7198B,00F32518,?,?,?,00E612F9,00000000), ref: 00E8024D
Part of subcall function 00E80242: LeaveCriticalSection.KERNEL32(00F3070C,?,00E7198B,00F32518,?,?,?,00E612F9,00000000), ref: 00E8028A

Part of subcall function 00E69CB3: _wcslen.LIBCMT ref: 00E69CBD

Part of subcall function 00E800A3: __onexit.LIBCMT ref: 00E800A9

__Init_thread_footer.LIBCMT ref: 00EE7BFB

Part of subcall function 00E801F8: EnterCriticalSection.KERNEL32(00F3070C,?,?,00E78747,00F32514), ref: 00E80202
Part of subcall function 00E801F8: LeaveCriticalSection.KERNEL32(00F3070C,?,00E78747,00F32514), ref: 00E80235

Strings

+T, xrefs: 00EE7E2E
Variable must be of type 'Object'., xrefs: 00EE7C3A
5, xrefs: 00EE7C78
G, xrefs: 00EE7C7F

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +T$5$G$Variable must be of type 'Object'.
API String ID: 535116098-4125810065
Opcode ID: 43fe33453b148f6064b63ef88dad9ef23ef53d5e20108b631e0b634bdbe5c0a3
Instruction ID: 0c042f1b274efa7823260e353193b978649c87ce5b5a3d920472c8a43d603944
Opcode Fuzzy Hash: 43fe33453b148f6064b63ef88dad9ef23ef53d5e20108b631e0b634bdbe5c0a3
Instruction Fuzzy Hash: 0791AB70A0424CEFCB04EF55D9809ADB7B1FF49308F249059F886BB292DB71AE45CB51

Function 00ECC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E67620: _wcslen.LIBCMT ref: 00E67625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00ECC6EE
_wcslen.LIBCMT ref: 00ECC735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00ECC79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00ECC7CA

Strings

0, xrefs: 00ECC6AF

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 345353c36f523e6ff2b8606d2d219cb5d7e17fb893a52e78dd4226f62bd1f8b7
Instruction ID: 2bbbf0ea3cfa4b7f41400dde68bb9a59b7869a49b1346d1bb168cd5b09730066
Opcode Fuzzy Hash: 345353c36f523e6ff2b8606d2d219cb5d7e17fb893a52e78dd4226f62bd1f8b7
Instruction Fuzzy Hash: 3251D0716043009BD7149F38CA44FAB77E4EB89318F242A2EF999F2190DB62D806DB52

Function 00EEAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00EEAEA3

Part of subcall function 00E67620: _wcslen.LIBCMT ref: 00E67625

GetProcessId.KERNEL32(00000000), ref: 00EEAF38
CloseHandle.KERNEL32(00000000), ref: 00EEAF67

Strings

<, xrefs: 00EEAE6B
@, xrefs: 00EEAE72

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: d57c6ef127c534abcf257f3457382dbd1a4d5ad61b1836bd3212a4c9062bd957
Instruction ID: 87205f3354c0960bf0a65804c58b51e16bbfc08e678500381dcfd314ec4f693e
Opcode Fuzzy Hash: d57c6ef127c534abcf257f3457382dbd1a4d5ad61b1836bd3212a4c9062bd957
Instruction Fuzzy Hash: B7716770A00259DFCB14DF55D484A9EBBF0EF08318F1894ADE85ABB262C770ED45CB91

Function 00EC719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00EC7206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00EC723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00EC724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00EC72CF

Strings

DllGetClassObject, xrefs: 00EC7242

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 4e56a42e964cfd49438ae43cc535cb09d2d1e0b5be1eec14ecda6b89014e83b7
Instruction ID: 0d113f1cb359510c73b93743f48d1ba2469a3696dfa7366807e65ead7f7ef117
Opcode Fuzzy Hash: 4e56a42e964cfd49438ae43cc535cb09d2d1e0b5be1eec14ecda6b89014e83b7
Instruction Fuzzy Hash: 8D4190B16042049FDB19CF54CA84F9A7BB9EF44314F2090ADBD45AF21AD7B2D946CFA0

Function 00EF3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00EF3E35
IsMenu.USER32(?), ref: 00EF3E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00EF3E92
DrawMenuBar.USER32 ref: 00EF3EA5

Strings

0, xrefs: 00EF3D89

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: fdd591a2d905c05e80cf9a65daca403f5611ae67e9492951805c1ee6d330a06f
Instruction ID: 3f393174164b3e5d72448ba53dfdbfbfa06d5430a69ebff982958b36bc4bfd8c
Opcode Fuzzy Hash: fdd591a2d905c05e80cf9a65daca403f5611ae67e9492951805c1ee6d330a06f
Instruction Fuzzy Hash: 06413375A0130DAFDF10DF60D884AEABBB9FF48368F145129EA05AB250D730AE45DF60

Function 00EC1DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E69CB3: _wcslen.LIBCMT ref: 00E69CBD

Part of subcall function 00EC3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00EC3CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00EC1E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00EC1E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00EC1EA9

Part of subcall function 00E66B57: _wcslen.LIBCMT ref: 00E66B6A

Strings

ComboBox, xrefs: 00EC1DF0
ListBox, xrefs: 00EC1E25

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 02fcfe9896c61592e1e8b0d4a7a53a31ac008324b7b6dd46c9803a3688eb508e
Instruction ID: 533ce618d6c5e1739437e9af0ee936d1bacb8aad901214c23bb2eef20b8bec00
Opcode Fuzzy Hash: 02fcfe9896c61592e1e8b0d4a7a53a31ac008324b7b6dd46c9803a3688eb508e
Instruction Fuzzy Hash: 55212671A40108AEDB14AB64EE45DFFB7B8DF423A4B20A11DF815F31E2DB35490AD620

Function 00EF2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00EF2F8D
LoadLibraryW.KERNEL32(?), ref: 00EF2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00EF2FA9
DestroyWindow.USER32(?), ref: 00EF2FB1

Strings

SysAnimate32, xrefs: 00EF2F68

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: d6886f981ba83a3c8a938a662d6eff111fd4623770aa3af8440e888af445853b
Instruction ID: c0dc3d157a5c7d826d6cc7d5e9eb1b6e932b2d3483edc8eef00f772d46ee4b8b
Opcode Fuzzy Hash: d6886f981ba83a3c8a938a662d6eff111fd4623770aa3af8440e888af445853b
Instruction Fuzzy Hash: 4F218B72224209ABEB204F64DC80EBB37B9EB59368F20661CFB50F21A0D771DC519760

Function 00E84D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00E84D1E,00E928E9,(,00E84CBE,00000000,00F288B8,0000000C,00E84E15,(,00000002), ref: 00E84D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00E84DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00E84D1E,00E928E9,(,00E84CBE,00000000,00F288B8,0000000C,00E84E15,(,00000002,00000000), ref: 00E84DC3

Strings

mscoree.dll, xrefs: 00E84D86
CorExitProcess, xrefs: 00E84D98

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: bf49a78fc8cb776ac2ac79f849825606dd1fbf2eec0e167033f9dbce91094af8
Instruction ID: 661bedfaee07cb0b6740a5b2df9f40e0368edc11d79bfb81048dd4694cefc593
Opcode Fuzzy Hash: bf49a78fc8cb776ac2ac79f849825606dd1fbf2eec0e167033f9dbce91094af8
Instruction Fuzzy Hash: 83F0AF30A0020DBFDB10AF91DC09BADBBB5EF44755F2000A4F80DB22A0DF309944DB92

Function 00E64E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00E64EDD,?,00F31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E64E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00E64EAE
FreeLibrary.KERNEL32(00000000,?,?,00E64EDD,?,00F31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E64EC0

Strings

kernel32.dll, xrefs: 00E64E94
Wow64DisableWow64FsRedirection, xrefs: 00E64EA8

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 06556feda67fedb6c282aa7f3575b74cddf284162a6beb1f040e5195a79e6821
Instruction ID: 5f14ab84bd25fa2c61cd94d7845ffb5f8a0f18c2f3605120b4e4204940f926f7
Opcode Fuzzy Hash: 06556feda67fedb6c282aa7f3575b74cddf284162a6beb1f040e5195a79e6821
Instruction Fuzzy Hash: FBE02635A026225F822107267C18A3B6164AFC1BA27241011FC00F2140DB60CC0580A2

Function 00E64E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00EA3CDE,?,00F31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E64E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00E64E74
FreeLibrary.KERNEL32(00000000,?,?,00EA3CDE,?,00F31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E64E87

Strings

kernel32.dll, xrefs: 00E64E5B
Wow64RevertWow64FsRedirection, xrefs: 00E64E6E

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 53f62c917349a8b23c4d90d70cb7880445e53f277d0da13625382c944aac69e1
Instruction ID: 4cf0fdacfdd83edd5b3aaad2190f1f5994af293e191c2fb226490df3b12db707
Opcode Fuzzy Hash: 53f62c917349a8b23c4d90d70cb7880445e53f277d0da13625382c944aac69e1
Instruction Fuzzy Hash: 75D0C2395436365F47221B267C08DAB2A28AFC1BA53351511B904B6154DF21CD15C1D1

Function 00ED2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00ED2C05
DeleteFileW.KERNEL32(?), ref: 00ED2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00ED2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00ED2CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00ED2CC0

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 01752d24e0741804bbff4ee8c758a0048b805411d2154b7a5491a98f51c73932
Instruction ID: 8baed1e63b9a45ab7674411d0146b86861fef738b2f6303278910ee36f8940cd
Opcode Fuzzy Hash: 01752d24e0741804bbff4ee8c758a0048b805411d2154b7a5491a98f51c73932
Instruction Fuzzy Hash: 3AB17072E00119ABDF11EBA4CC85EDEB7BCEF58350F1050AAF609F6251EA309E458F61

Function 00EEA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00EEA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00EEA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00EEA468
CloseHandle.KERNEL32(?), ref: 00EEA63D

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: d304fd8ea374e03000345b51ed2a007deb2eb864a582443faef5575ced5f620a
Instruction ID: 78ad88b74042c61a01bf43ec15206c220d41ccaf66056892a5eca627ce64567b
Opcode Fuzzy Hash: d304fd8ea374e03000345b51ed2a007deb2eb864a582443faef5575ced5f620a
Instruction Fuzzy Hash: E4A1C2716043019FD720DF15D886F2AB7E1AF84714F18985DF5AAAB392D7B0EC40CB92

Function 00E9BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00F03700), ref: 00E9BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,00F3121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00E9BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00F31270,000000FF,?,0000003F,00000000,?), ref: 00E9BC36
_free.LIBCMT ref: 00E9BB7F

Part of subcall function 00E929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00E9D7D1,00000000,00000000,00000000,00000000,?,00E9D7F8,00000000,00000007,00000000,?,00E9DBF5,00000000), ref: 00E929DE
Part of subcall function 00E929C8: GetLastError.KERNEL32(00000000,?,00E9D7D1,00000000,00000000,00000000,00000000,?,00E9D7F8,00000000,00000007,00000000,?,00E9DBF5,00000000,00000000), ref: 00E929F0

_free.LIBCMT ref: 00E9BD4B

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 79725eb9938fc1230acbda521ab28ba932f0956b2d83ca892c0a45cf3cae77da
Instruction ID: 3e835adc9acf5f97845beaa1c083025464809553e3c0cb502f3ac6d4bdacb7f1
Opcode Fuzzy Hash: 79725eb9938fc1230acbda521ab28ba932f0956b2d83ca892c0a45cf3cae77da
Instruction Fuzzy Hash: 5F51F57190020DAFDF10EF65AE819AEB7FDFF40324B10526AE554F72A1EB709E419B90

Function 00ECE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00ECDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00ECCF22,?), ref: 00ECDDFD

Part of subcall function 00ECDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00ECCF22,?), ref: 00ECDE16

Part of subcall function 00ECE199: GetFileAttributesW.KERNEL32(?,00ECCF95), ref: 00ECE19A

lstrcmpiW.KERNEL32(?,?), ref: 00ECE473
MoveFileW.KERNEL32(?,?), ref: 00ECE4AC
_wcslen.LIBCMT ref: 00ECE5EB
_wcslen.LIBCMT ref: 00ECE603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00ECE650

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 5e87acdd5591a159083e1ed2a6baf37deb63209d5b85ac6e0657821d810ff005
Instruction ID: f308bdb1d2d6cb63f90310f34ee451491ca1c6d38b02e7ca544bf0e06b63b9f5
Opcode Fuzzy Hash: 5e87acdd5591a159083e1ed2a6baf37deb63209d5b85ac6e0657821d810ff005
Instruction Fuzzy Hash: 8851A4B24087455BC724EB90DD81EDFB3ECAF84344F10191EF589E3192EF35A5898766

Function 00EEB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E69CB3: _wcslen.LIBCMT ref: 00E69CBD

Part of subcall function 00EEC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00EEB6AE,?,?), ref: 00EEC9B5
Part of subcall function 00EEC998: _wcslen.LIBCMT ref: 00EEC9F1
Part of subcall function 00EEC998: _wcslen.LIBCMT ref: 00EECA68
Part of subcall function 00EEC998: _wcslen.LIBCMT ref: 00EECA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00EEBAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00EEBB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00EEBB63
RegCloseKey.ADVAPI32(?,?), ref: 00EEBBA6
RegCloseKey.ADVAPI32(00000000), ref: 00EEBBB3

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 69b16078db05d950cc54857a0fa03cf60fbb688a780e3044201bf0733348143f
Instruction ID: e7ee08454d471c28e7583f88ad37d85d0b2ed2043dbcba52ab8c020d1379f0e7
Opcode Fuzzy Hash: 69b16078db05d950cc54857a0fa03cf60fbb688a780e3044201bf0733348143f
Instruction Fuzzy Hash: E561C331208245AFD714DF15C490E2BBBE5FF84348F24956CF4999B2A2DB31ED45CB92

Function 00EC8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00EC8BCD
VariantClear.OLEAUT32 ref: 00EC8C3E
VariantClear.OLEAUT32 ref: 00EC8C9D
VariantClear.OLEAUT32(?), ref: 00EC8D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00EC8D3B

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 48779758ca0618ded4870d2c2ac008662056c19d0161b210b4dbffacf3ddb551
Instruction ID: ac5957706525ac3bde6d48303bc5679a52c323546abaec74af5bddad8658d073
Opcode Fuzzy Hash: 48779758ca0618ded4870d2c2ac008662056c19d0161b210b4dbffacf3ddb551
Instruction Fuzzy Hash: 00517C71A00219DFCB14CF18D994EAABBF8FF89314B118559F915EB350D731E911CB90

Function 00ED8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00ED8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00ED8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00ED8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00ED8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00ED8C5F

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 84cc5ce97acca2326f1cc5a85fa7003906dbd6e9f7872d76d21b62809ec8f04a
Instruction ID: 2e89f55a0bf23b7b3b81282b1bb71c06d91d014f20bf71d3ac021a5719a46fff
Opcode Fuzzy Hash: 84cc5ce97acca2326f1cc5a85fa7003906dbd6e9f7872d76d21b62809ec8f04a
Instruction Fuzzy Hash: 71516C35A00218DFCB04DF65C884A6DBBF5FF48358F188499E84AAB362DB31ED51CB91

Function 00EE8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00EE8F40
GetProcAddress.KERNEL32(00000000,?), ref: 00EE8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00EE8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00EE9032
FreeLibrary.KERNEL32(00000000), ref: 00EE9052

Part of subcall function 00E7F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00ED1043,?,7644E610), ref: 00E7F6E6
Part of subcall function 00E7F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00EBFA64,00000000,00000000,?,?,00ED1043,?,7644E610,?,00EBFA64), ref: 00E7F70D

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 316b68c9e53652972ecc7613e3a95a56ce70762431c5709d685b584a98d8038b
Instruction ID: a9c8913a53f439a4d1aaa6f8f0d4396d299ec100d1f7e3514cceda0c1d9da2b9
Opcode Fuzzy Hash: 316b68c9e53652972ecc7613e3a95a56ce70762431c5709d685b584a98d8038b
Instruction Fuzzy Hash: 8B516C34600249DFC714DF59C5848ADBBF1FF49328B1490A8E80ABB362DB31ED85CB90

Function 00EF6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00EF6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00EF6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00EF6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00EDAB79,00000000,00000000), ref: 00EF6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00EF6CC7

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 4cfbd70cceffe8002003da5dfe9da151fca6e9e1b618cd228b2995133ba4d63d
Instruction ID: 837abd4883e4fee24cdf055ad19ba071a24cd563d201f0a4a95007af32ccbb69
Opcode Fuzzy Hash: 4cfbd70cceffe8002003da5dfe9da151fca6e9e1b618cd228b2995133ba4d63d
Instruction Fuzzy Hash: 5A41CF35A0410CAFDB24CF28CD58FB9BBA5EB49364F251268EA95F72E1C371AD41DA40

Function 00E92051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00E920C3
_free.LIBCMT ref: 00E920E3

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 5f51f82b13c9bd552a6fd62ffe8e1b844a9672a50e7c5217f7ce951aef1ce8e6
Instruction ID: f7d5c4fc0b6014081fbcbf4fcafb39274e80f3463fe538a5bb21027c57625f0e
Opcode Fuzzy Hash: 5f51f82b13c9bd552a6fd62ffe8e1b844a9672a50e7c5217f7ce951aef1ce8e6
Instruction Fuzzy Hash: 9541D232A00204AFCF24DF79C881A9EB7E5EF89714F1555ACE619FB391D631AD01DB81

Function 00E7912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00E79141
ScreenToClient.USER32(00000000,?), ref: 00E7915E
GetAsyncKeyState.USER32(00000001), ref: 00E79183
GetAsyncKeyState.USER32(00000002), ref: 00E7919D

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: f1d66160120552cff2d964840d6704f5ce10685a259c2799db79da3832cfe363
Instruction ID: 8a40949aa9cabe8fb4d00b3a28db8094949695826560a7a956d42577302ba3dd
Opcode Fuzzy Hash: f1d66160120552cff2d964840d6704f5ce10685a259c2799db79da3832cfe363
Instruction Fuzzy Hash: 1B41AF31A0960ABBCF059F68C848BFEB7B4FF45324F209219E469B32D1C7306954CBA1

Function 00ED3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00ED38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00ED3922
TranslateMessage.USER32(?), ref: 00ED394B
DispatchMessageW.USER32(?), ref: 00ED3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00ED3966

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: bb8608865a6b2e30aaf493dc014f4bbb97a803af8418de92614585bb032808e2
Instruction ID: e99a0f8aa64aaf04e4f0d49877200f46c13019a3568a917ae77bd231c189b3d5
Opcode Fuzzy Hash: bb8608865a6b2e30aaf493dc014f4bbb97a803af8418de92614585bb032808e2
Instruction Fuzzy Hash: AE3139705043499EEB34CB35DC58BB637A8EB45318F14142FE462A22E4E3F09686EB23

Function 00EDCF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00EDC21E,00000000), ref: 00EDCF38
InternetReadFile.WININET(?,00000000,?,?), ref: 00EDCF6F
GetLastError.KERNEL32(?,00000000,?,?,?,00EDC21E,00000000), ref: 00EDCFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,00EDC21E,00000000), ref: 00EDCFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,00EDC21E,00000000), ref: 00EDCFF2

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 778106885e8fda1b02f7280b58737b1fb0d0ed435e73cc4ea4ac90b4d9dcac49
Instruction ID: 515812b45bbfa60255e85278b34fd3c47b025a4bb5c00bd2213db5771933c9e3
Opcode Fuzzy Hash: 778106885e8fda1b02f7280b58737b1fb0d0ed435e73cc4ea4ac90b4d9dcac49
Instruction Fuzzy Hash: BF314F71604606AFDB20DFA5C984AEBBBF9EB54394B30542FF506F2250DB30AD46DB60

Function 00EC1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00EC1915
PostMessageW.USER32(00000001,00000201,00000001), ref: 00EC19C1
Sleep.KERNEL32(00000000,?,?,?), ref: 00EC19C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 00EC19DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00EC19E2

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: b1cb1b49b3325d292b1b56299a1a366761a8134637876d447cd3c46dd17cfaad
Instruction ID: 8a84131f52250e9b14915e06f1ba59064240c42ee9a463fd1be62b3a4dde7d1a
Opcode Fuzzy Hash: b1cb1b49b3325d292b1b56299a1a366761a8134637876d447cd3c46dd17cfaad
Instruction Fuzzy Hash: 8031CF71900219EFCB00CFA8CA98BEE3BB5EB85314F205269F921A72D1C3709955CB91

Function 00EF5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00EF5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 00EF579D
_wcslen.LIBCMT ref: 00EF57AF
_wcslen.LIBCMT ref: 00EF57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00EF5816

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 1d5fc661c7119d5f77cba712805963079caeed0803802ff7c193510083a0082a
Instruction ID: 64c4b4a4fb88ebadd87c0b9e428d1968166ad07094ff6533e486418e1b7ca6f1
Opcode Fuzzy Hash: 1d5fc661c7119d5f77cba712805963079caeed0803802ff7c193510083a0082a
Instruction Fuzzy Hash: F9214F7290461CDADB209F60CC85AFD77B8FB54724F109216EB29FA1C0E7708985CF51

Function 00EE0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00EE0951
GetForegroundWindow.USER32 ref: 00EE0968
GetDC.USER32(00000000), ref: 00EE09A4
GetPixel.GDI32(00000000,?,00000003), ref: 00EE09B0
ReleaseDC.USER32(00000000,00000003), ref: 00EE09E8

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 23e7a0bbb1ece3938c0960572715217e72585ff976f31119cbe4cdc0970d7f6c
Instruction ID: 10ff066022a7f8a5539263cafb23af9cfc7690aac30b87bff32055bf1d10e221
Opcode Fuzzy Hash: 23e7a0bbb1ece3938c0960572715217e72585ff976f31119cbe4cdc0970d7f6c
Instruction Fuzzy Hash: DF219635600208AFD704EF65E944AAEB7F9EF84740F148469F84AF7362DB70AC45CB50

Function 00E9CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00E9CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00E9CDE9

Part of subcall function 00E93820: RtlAllocateHeap.NTDLL(00000000,?,00F31444,?,00E7FDF5,?,?,00E6A976,00000010,00F31440,00E613FC,?,00E613C6,?,00E61129), ref: 00E93852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00E9CE0F
_free.LIBCMT ref: 00E9CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00E9CE31

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 0f950f62c573318a6b9c573456e3b8f31a3f68c772302cc61105de4787517f7f
Instruction ID: 0bd50e018ac26e4649dbc4bb07d7550deffdfcb77b7e77043de4683df3cca77f
Opcode Fuzzy Hash: 0f950f62c573318a6b9c573456e3b8f31a3f68c772302cc61105de4787517f7f
Instruction Fuzzy Hash: 3D0184726022157F2B2166B76C88D7B6A6DDFC6BA53351129FD06F7201EA618D01C2B0

Function 00E79639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00E79693
SelectObject.GDI32(?,00000000), ref: 00E796A2
BeginPath.GDI32(?), ref: 00E796B9
SelectObject.GDI32(?,00000000), ref: 00E796E2

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 09ea2f51bd4ae6e52e576c1db1ad95dd3b32cddf3763a4d2df9f83d168e9071c
Instruction ID: e3d43ff579f7ec412ca0cc69c84b93725581cb3e38fd8c725a75d10db211c809
Opcode Fuzzy Hash: 09ea2f51bd4ae6e52e576c1db1ad95dd3b32cddf3763a4d2df9f83d168e9071c
Instruction Fuzzy Hash: 5A216D30803209EFDB119FA5ED04BAD3BBABF40779F208316F414B61A1D3709899EB94

Function 00EC5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00EC5726
_memcmp.LIBVCRUNTIME ref: 00EC5744
_memcmp.LIBVCRUNTIME ref: 00EC5757
_memcmp.LIBVCRUNTIME ref: 00EC576F
_memcmp.LIBVCRUNTIME ref: 00EC5787

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: b35cd05b9c35773ca2b1ed1cc62552c2a030fda0aa949c4a4a44718f25498d8c
Instruction ID: 9dcb87f8c8d64679746de1782385b3c1fad72a70156794213dfa061168e4ab8c
Opcode Fuzzy Hash: b35cd05b9c35773ca2b1ed1cc62552c2a030fda0aa949c4a4a44718f25498d8c
Instruction Fuzzy Hash: D2019B63641719BAD21856109F41FFA639C9F21358B006026FD0C7A241F662FDA282A4

Function 00E92DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00E8F2DE,00E93863,00F31444,?,00E7FDF5,?,?,00E6A976,00000010,00F31440,00E613FC,?,00E613C6), ref: 00E92DFD
_free.LIBCMT ref: 00E92E32
_free.LIBCMT ref: 00E92E59
SetLastError.KERNEL32(00000000,00E61129), ref: 00E92E66
SetLastError.KERNEL32(00000000,00E61129), ref: 00E92E6F

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: e3a2954a29cd836693a4787bef596ce975d2d8483ae2eace4d00ead67fd3542e
Instruction ID: c8312ebfa9fd5ff42cffcdb1036bf936df51e07540f0eb6ba482281f52a3d036
Opcode Fuzzy Hash: e3a2954a29cd836693a4787bef596ce975d2d8483ae2eace4d00ead67fd3542e
Instruction Fuzzy Hash: B901F4326056047BCE1367356CC6D6B26DDAFC17B9B31602DFA25B22D2EE608C0651A0

Function 00EC000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00EBFF41,80070057,?,?,?,00EC035E), ref: 00EC002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00EBFF41,80070057,?,?), ref: 00EC0046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00EBFF41,80070057,?,?), ref: 00EC0054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00EBFF41,80070057,?), ref: 00EC0064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00EBFF41,80070057,?,?), ref: 00EC0070

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 1f58be2a8132a93a27cdd5b8485dfc50998dd78c33a609dfdf3d485088dab6b3
Instruction ID: a496e9e3cd4329dde93c921f4c2c4bd80d41a01723ef4ea7dfc14ce2a7016be7
Opcode Fuzzy Hash: 1f58be2a8132a93a27cdd5b8485dfc50998dd78c33a609dfdf3d485088dab6b3
Instruction Fuzzy Hash: 9601DF72600208FFDB114F69DE05FAA7AADEB84791F215428F801F2210D772DD05DBA0

Function 00ECE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00ECE997
QueryPerformanceFrequency.KERNEL32(?), ref: 00ECE9A5
Sleep.KERNEL32(00000000), ref: 00ECE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 00ECE9B7
Sleep.KERNEL32 ref: 00ECE9F3

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 2bd5b240bc005c8a275d2197bcecec8d060cbbc4ca5483f8fb4dfaac5d63e8da
Instruction ID: 467930aa26d82d128afddbd263ea3d5115217415d49cb8ea01eb8b89ee0c6e5c
Opcode Fuzzy Hash: 2bd5b240bc005c8a275d2197bcecec8d060cbbc4ca5483f8fb4dfaac5d63e8da
Instruction Fuzzy Hash: D3016D31C0162DDBCF049FE5DE59AEDBB78FF89300F10158AE502B2240CB319556C7A1

Function 00EC10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00EC1114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00EC0B9B,?,?,?), ref: 00EC1120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00EC0B9B,?,?,?), ref: 00EC112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00EC0B9B,?,?,?), ref: 00EC1136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00EC114D

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 0ce3f8a4752707fd2081b83e51107e3ceeef69e5499d3b1e34eb59a8cbdf001f
Instruction ID: 231c4ee0c2163b1cea8e3a5b9520e794fec630631428976a9276a69f64a17c7d
Opcode Fuzzy Hash: 0ce3f8a4752707fd2081b83e51107e3ceeef69e5499d3b1e34eb59a8cbdf001f
Instruction Fuzzy Hash: F5016975201209BFDB115FA6DD49E6A3B6EEFCA3A4B340459FA41E3360DB31DC51CA60

Function 00EC0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00EC0FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00EC0FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00EC0FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00EC0FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00EC1002

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 1b954b639bb84bf3cfdd56d3415b974d16d92867838df4071d68d24392d2ac5d
Instruction ID: 6a486f90515e12332f28fc2d43ef4521342ba6aef7e8165717a3ab9784cfc410
Opcode Fuzzy Hash: 1b954b639bb84bf3cfdd56d3415b974d16d92867838df4071d68d24392d2ac5d
Instruction Fuzzy Hash: 03F0AF35201305AFD7210FA59E4AF663B6EEFCA761F300459F905E6251CA31DC51CA60

Function 00EC1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00EC102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00EC1036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00EC1045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00EC104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00EC1062

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: a7f82df0f50b1eb00d35c050de2b37756d93ecb520ccb99062dc2a031277e500
Instruction ID: 3e00dd7b7c26b1f53bcf0bd32ea1ee5641ecb842323e9011dd830d2f08afb384
Opcode Fuzzy Hash: a7f82df0f50b1eb00d35c050de2b37756d93ecb520ccb99062dc2a031277e500
Instruction Fuzzy Hash: 12F0AF35201305AFD7211FA5EE4AF6A3B6DEFCA7A1F300414F905E6251CA31D851DA60

Function 00ED030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00ED017D,?,00ED32FC,?,00000001,00EA2592,?), ref: 00ED0324
CloseHandle.KERNEL32(?,?,?,?,00ED017D,?,00ED32FC,?,00000001,00EA2592,?), ref: 00ED0331
CloseHandle.KERNEL32(?,?,?,?,00ED017D,?,00ED32FC,?,00000001,00EA2592,?), ref: 00ED033E
CloseHandle.KERNEL32(?,?,?,?,00ED017D,?,00ED32FC,?,00000001,00EA2592,?), ref: 00ED034B
CloseHandle.KERNEL32(?,?,?,?,00ED017D,?,00ED32FC,?,00000001,00EA2592,?), ref: 00ED0358
CloseHandle.KERNEL32(?,?,?,?,00ED017D,?,00ED32FC,?,00000001,00EA2592,?), ref: 00ED0365

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: fc3deaa4cc0e1b237c00bde58e0b949952eead2eace10897f7ae48cc37775bc1
Instruction ID: 7228ca28a64f9a640affce0a8dafbd5d3901a01d2e063867d5000b6f4ca1fc35
Opcode Fuzzy Hash: fc3deaa4cc0e1b237c00bde58e0b949952eead2eace10897f7ae48cc37775bc1
Instruction Fuzzy Hash: 5E01E272800B058FC7309F66D880812F7F5FF503193199A3FD19262A30C3B0A959CF80

Function 00E9D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00E9D752

Part of subcall function 00E929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00E9D7D1,00000000,00000000,00000000,00000000,?,00E9D7F8,00000000,00000007,00000000,?,00E9DBF5,00000000), ref: 00E929DE
Part of subcall function 00E929C8: GetLastError.KERNEL32(00000000,?,00E9D7D1,00000000,00000000,00000000,00000000,?,00E9D7F8,00000000,00000007,00000000,?,00E9DBF5,00000000,00000000), ref: 00E929F0

_free.LIBCMT ref: 00E9D764
_free.LIBCMT ref: 00E9D776
_free.LIBCMT ref: 00E9D788
_free.LIBCMT ref: 00E9D79A

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: a5a7b9d36e294cd68e9cab3ea7c4285c455833f524312fbbcb742789857a2703
Instruction ID: 744843ef7eb222b73f8281533018c5b1ab703863466f7e48e03744e1d9e0bb45
Opcode Fuzzy Hash: a5a7b9d36e294cd68e9cab3ea7c4285c455833f524312fbbcb742789857a2703
Instruction Fuzzy Hash: 59F0FF32548218BB8E21EBA4FDC5C5A7BDDBB447147A4280AF14CF7501C720FC8086E4

Function 00EC5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00EC5C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00EC5C6F
MessageBeep.USER32(00000000), ref: 00EC5C87
KillTimer.USER32(?,0000040A), ref: 00EC5CA3
EndDialog.USER32(?,00000001), ref: 00EC5CBD

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 7d45c7dbd2a039f34e9c98aa4bf7b3ad7f56e4ea25c7a2b19e3df437af7fb275
Instruction ID: da67cb889e0d782839e7e5e1ddb45ca9702fdc53de64782526420bdd78fbae62
Opcode Fuzzy Hash: 7d45c7dbd2a039f34e9c98aa4bf7b3ad7f56e4ea25c7a2b19e3df437af7fb275
Instruction Fuzzy Hash: FD016231500B08AFEB205B11DF4EFA6B7B8BB40B05F15155DA593B10E1DBF1B989CA90

Function 00E922A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00E922BE

Part of subcall function 00E929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00E9D7D1,00000000,00000000,00000000,00000000,?,00E9D7F8,00000000,00000007,00000000,?,00E9DBF5,00000000), ref: 00E929DE
Part of subcall function 00E929C8: GetLastError.KERNEL32(00000000,?,00E9D7D1,00000000,00000000,00000000,00000000,?,00E9D7F8,00000000,00000007,00000000,?,00E9DBF5,00000000,00000000), ref: 00E929F0

_free.LIBCMT ref: 00E922D0
_free.LIBCMT ref: 00E922E3
_free.LIBCMT ref: 00E922F4
_free.LIBCMT ref: 00E92305

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 96dc814ca571be3aa6b8e34b248448af77a22d40cc109019b2a0e213f61ff589
Instruction ID: 7e76f67bd2ad7992e469e5c3883f1c50883fd1b8a7c8384416664f16482d21e9
Opcode Fuzzy Hash: 96dc814ca571be3aa6b8e34b248448af77a22d40cc109019b2a0e213f61ff589
Instruction Fuzzy Hash: AFF05E70801528AB8E22EF64BC0184E3BA6F758770700150FF518E23B1CB304912FFE4

Function 00E795C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00E795D4
StrokeAndFillPath.GDI32(?,?,00EB71F7,00000000,?,?,?), ref: 00E795F0
SelectObject.GDI32(?,00000000), ref: 00E79603
DeleteObject.GDI32 ref: 00E79616
StrokePath.GDI32(?), ref: 00E79631

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: c0809e7558e67fc5bcb2ae4a21ac5388d9473e748dae8ff8b40b481ad8b239b4
Instruction ID: d625613ccf40a0ec9d47c1c6a51690ac579176f59ce06766c9b44bffe2180ce8
Opcode Fuzzy Hash: c0809e7558e67fc5bcb2ae4a21ac5388d9473e748dae8ff8b40b481ad8b239b4
Instruction Fuzzy Hash: D4F0C93500660CEFDB169F66EE18BA43B66BB41376F248354F469650F1CB3089A9EF20

Function 00E90F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00E910F9
__freea.LIBCMT ref: 00E91117

Part of subcall function 00E91537: _free.LIBCMT ref: 00E9154F

Strings

am/pm, xrefs: 00E9117A
a/p, xrefs: 00E911DE

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 7a592608741aa7357d76950a1c0aeed0e6da1eb32bbcdd4d6407269e2a0b7601
Instruction ID: f5494a9a49eb3708029c1d186766050422e072e688998616e1dd0ddea7876622
Opcode Fuzzy Hash: 7a592608741aa7357d76950a1c0aeed0e6da1eb32bbcdd4d6407269e2a0b7601
Instruction Fuzzy Hash: 24D1FF31A00207DADF29DF68C885BFEB7B1EF06704F292199E915BBA50D3759D80CB91

Function 00E95AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JO, xrefs: 00E95BA8, 00E95C6C

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID:
String ID: JO
API String ID: 0-1663374661
Opcode ID: 3291df8d66367ea643a18341a44b736b19cdd462eb1fff557747ce1dfa71d266
Instruction ID: 87d233b239aa3e66a2688a06e00e2130a25617b6b6028ac6cb803dc9c9bea0b3
Opcode Fuzzy Hash: 3291df8d66367ea643a18341a44b736b19cdd462eb1fff557747ce1dfa71d266
Instruction Fuzzy Hash: 15518F72900609AFCF22AFA4C945EEEBBF8AF45314F14215AF409B72A1D7719901DB61

Function 00E98A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00E98B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00E98B7A
__dosmaperr.LIBCMT ref: 00E98B81

Strings

., xrefs: 00E98A63

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .
API String ID: 2434981716-3963672497
Opcode ID: e324e3d0ab81519cb2a8f97b2f5d41b9f24cb78b00ee5e0268af1ef6ee8ca926
Instruction ID: b480a65855b1575ae645e811e0fa46ed00c4bdc4a598f6af06c9bab2b5fe5857
Opcode Fuzzy Hash: e324e3d0ab81519cb2a8f97b2f5d41b9f24cb78b00ee5e0268af1ef6ee8ca926
Instruction Fuzzy Hash: F4416EB4604145AFDF249F24C990ABD7FE6DB87314F2C519AF485A7262EE318C02D790

Function 00EC2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00ECB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00EC21D0,?,?,00000034,00000800,?,00000034), ref: 00ECB42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00EC2760

Part of subcall function 00ECB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00EC21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00ECB3F8

Part of subcall function 00ECB32A: GetWindowThreadProcessId.USER32(?,?), ref: 00ECB355
Part of subcall function 00ECB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00EC2194,00000034,?,?,00001004,00000000,00000000), ref: 00ECB365
Part of subcall function 00ECB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00EC2194,00000034,?,?,00001004,00000000,00000000), ref: 00ECB37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00EC27CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00EC281A

Strings

@, xrefs: 00EC2832

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 722d80576718938f1aac238cda0a4c0a8f7292bc3bed5cb985d4f924982ccb42
Instruction ID: b3d4ae1a908226b0758c5908d37b6cf05bee38efb527945e0eb61937fc04c403
Opcode Fuzzy Hash: 722d80576718938f1aac238cda0a4c0a8f7292bc3bed5cb985d4f924982ccb42
Instruction Fuzzy Hash: C0412D72900218AFDB14DBA4CD86FEEBBB8AF09700F105099FA55B7181DB716E46CB61

Function 00E9172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00E91769
_free.LIBCMT ref: 00E91834
_free.LIBCMT ref: 00E9183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00E91760, 00E91767, 00E91796, 00E917CE

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-3695852857
Opcode ID: 42eef6957b9a7d78d7a39a32ea7c551e1c60d5f9ace449ed4d2c7b6cb13e43ce
Instruction ID: 6c41b8b5e512a36b9f8f0071fe601b10c9fdce77edc73223bbe24a96e2e1cfd9
Opcode Fuzzy Hash: 42eef6957b9a7d78d7a39a32ea7c551e1c60d5f9ace449ed4d2c7b6cb13e43ce
Instruction Fuzzy Hash: F4317075A0021AAFDF25DF99D885D9FBBFCEB85324B1451ABF804E7211D6708E40DBA0

Function 00ECC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00ECC306
DeleteMenu.USER32(?,00000007,00000000), ref: 00ECC34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00F31990,01635A98), ref: 00ECC395

Strings

0, xrefs: 00ECC2DF

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 985db7535f4d2ac5fa02810e5b822d4c955f3f746ddaafdb5b99c72b6a085fa0
Instruction ID: ccef9b41ab721aae675438b352ae1c252f9a57e8192ba3f220e0a514afa267a3
Opcode Fuzzy Hash: 985db7535f4d2ac5fa02810e5b822d4c955f3f746ddaafdb5b99c72b6a085fa0
Instruction Fuzzy Hash: 3C41E5312043419FD720DF29E944F5ABBE4AF85314F20966DF869E72D1C731E806CB52

Function 00EF4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00EFCC08,00000000,?,?,?,?), ref: 00EF44AA
GetWindowLongW.USER32 ref: 00EF44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00EF44D7

Strings

SysTreeView32, xrefs: 00EF447C

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: a4ec385970f0f4454b1c69d75bf411b0a8424d1afcc617aa521a8dad61e25a3a
Instruction ID: 06a03c4d9219a1919c47b3e32da6a6b6273903f90960e3fde0c0535ce1b1dcbe
Opcode Fuzzy Hash: a4ec385970f0f4454b1c69d75bf411b0a8424d1afcc617aa521a8dad61e25a3a
Instruction Fuzzy Hash: 5F317C71214209AFDB219E38DC45BEB77A9EB48338F205725FA79B21E0D770EC549B50

Function 00EC6E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00EC6EED
VariantCopyInd.OLEAUT32(?,?), ref: 00EC6F08
VariantClear.OLEAUT32(?), ref: 00EC6F12

Strings

*j, xrefs: 00EC6E8B, 00EC6E90, 00EC6EF8

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *j
API String ID: 2173805711-1845181700
Opcode ID: 20dc98d40b192abb7913a2bbaa1cd13eace2992ed146fe330366713deed7d4b9
Instruction ID: 0dc86766741cb40885883b101845451bf0df8b8abc0566dc860756ab4b7de871
Opcode Fuzzy Hash: 20dc98d40b192abb7913a2bbaa1cd13eace2992ed146fe330366713deed7d4b9
Instruction Fuzzy Hash: 0E31B071704385DFCB05AFA4E950EBE37B6EF8A344B10149CFA02AB2A1C7719912DB90

Function 00EE304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00EE3077,?,?), ref: 00EE3378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00EE307A
_wcslen.LIBCMT ref: 00EE309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00EE3106

Strings

255.255.255.255, xrefs: 00EE3095, 00EE309A

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 3e9369124838481d47fa942df5f90b1b84139b0400563794df0d36f9159b956a
Instruction ID: a94a1eadad32bb88bb94c2e8b7ca419cc6205fd640de400f239514f1959642b8
Opcode Fuzzy Hash: 3e9369124838481d47fa942df5f90b1b84139b0400563794df0d36f9159b956a
Instruction Fuzzy Hash: 5A31E7352042899FCB20CF7AC589EAA77E0EF54318F259059E815AB393D732EF45C760

Function 00EF3EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00EF3F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00EF3F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00EF3F78

Strings

SysMonthCal32, xrefs: 00EF3F0B

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 6ca875f40b1ce33de7dab9359dba56784ffefbc6dd7df6d8dd09b7888ddfd0d7
Instruction ID: 5f6809da089aa5574e08121f99b4d2db9f6f65b983922b8b8e57670744b3ab01
Opcode Fuzzy Hash: 6ca875f40b1ce33de7dab9359dba56784ffefbc6dd7df6d8dd09b7888ddfd0d7
Instruction Fuzzy Hash: D621AD32600219BFDF218F60DC46FEA3BB6EF48728F111214FA15BB190D6B1A954CB90

Function 00EF4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00EF4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00EF4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00EF471A

Strings

msctls_updown32, xrefs: 00EF4684

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 2b7bbe738b81c507afeaea08a224f3106a75a0f390a1a2d2a77f058f22bdf596
Instruction ID: 147519f02d05b130f0e6450d972b09f0ea5cd7cb75a63ce246c23172f986c16a
Opcode Fuzzy Hash: 2b7bbe738b81c507afeaea08a224f3106a75a0f390a1a2d2a77f058f22bdf596
Instruction Fuzzy Hash: 71214FF5601208AFEB10DF64DC81DB737EDEB8A3A8B151059F600AB291C770EC11DA60

Function 00EC95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00EC961D

Strings

#OnAutoItStartRegister, xrefs: 00EC95F3
#notrayicon, xrefs: 00EC95B7
#requireadmin, xrefs: 00EC95D9

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 6dd630a81c01b32225c32725e83f208b057e87fb78f887dd0f26a612dfc50d86
Instruction ID: 3851c420745eee5d8e75f7e9dfed6ad0be81073a13110f552e0c0415dcef8ee6
Opcode Fuzzy Hash: 6dd630a81c01b32225c32725e83f208b057e87fb78f887dd0f26a612dfc50d86
Instruction Fuzzy Hash: AD21297220461166D331AB249E0AFBB73D8AF95318F50602EF94DB7082EB529D42C3A5

Function 00EF37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00EF3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00EF3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00EF3876

Strings

Listbox, xrefs: 00EF380F

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: a9104eac551e597cdc936d462ff2007be3e827377f8966c3404c67ec65da28ae
Instruction ID: e0a88ab03612c95bf70c92d5f5a9c5464ff3c74674396e1a5873545e99e0c82d
Opcode Fuzzy Hash: a9104eac551e597cdc936d462ff2007be3e827377f8966c3404c67ec65da28ae
Instruction Fuzzy Hash: 9821BE7261021CBBEF219F64DC81EBB376AEF897A4F119125FA04AB1D0C675DC52C7A0

Function 00ED49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00ED4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00ED4A5C
SetErrorMode.KERNEL32(00000000,?,?,00EFCC08), ref: 00ED4AD0

Strings

%lu, xrefs: 00ED4A6F

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 9c354edb556a51621c5f0128b141ed51a7c0cc9a08b15ff211c3e49a46fb2488
Instruction ID: 3476dc44e43831ea2be18b58b25a01d21cd16b821c32fc9c9a06d367dd700161
Opcode Fuzzy Hash: 9c354edb556a51621c5f0128b141ed51a7c0cc9a08b15ff211c3e49a46fb2488
Instruction Fuzzy Hash: 45319174A00108AFDB10DF54C985EAABBF8EF48308F1490A9F809EB352D771ED46CB61

Function 00EF41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00EF424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00EF4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00EF4271

Strings

msctls_trackbar32, xrefs: 00EF4226

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 02f466199ab17588b2d08057793ca48fddcb782433dd78735d80ac7c49dea10b
Instruction ID: 34a089ece2ba1a0e52055e384553cd8277409570c115bf33cb154d4c4d8bfd4f
Opcode Fuzzy Hash: 02f466199ab17588b2d08057793ca48fddcb782433dd78735d80ac7c49dea10b
Instruction Fuzzy Hash: 1B11CE7124024CBEEF205E69CC06FBB3BA8EB85B68F111524FA55F20E0D271D8119B20

Function 00EC2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E66B57: _wcslen.LIBCMT ref: 00E66B6A

Part of subcall function 00EC2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00EC2DC5
Part of subcall function 00EC2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00EC2DD6
Part of subcall function 00EC2DA7: GetCurrentThreadId.KERNEL32 ref: 00EC2DDD
Part of subcall function 00EC2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00EC2DE4

GetFocus.USER32 ref: 00EC2F78

Part of subcall function 00EC2DEE: GetParent.USER32(00000000), ref: 00EC2DF9

GetClassNameW.USER32(?,?,00000100), ref: 00EC2FC3
EnumChildWindows.USER32(?,00EC303B), ref: 00EC2FEB

Strings

%s%d, xrefs: 00EC2FFF

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: ee61e124e69147686b7d9737e39c16a5c7e6e68033825e6813ec36b49c557636
Instruction ID: 1bd3f209c8d18f955306dcfdc5486cacb1cfcf6944dab7c0518ff7aa0cbf6693
Opcode Fuzzy Hash: ee61e124e69147686b7d9737e39c16a5c7e6e68033825e6813ec36b49c557636
Instruction Fuzzy Hash: 2B11C6712002099BCF106F709D86FED77A99F94304F149079B909B7292DE71594ACB60

Function 00EF5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00EF58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00EF58EE
DrawMenuBar.USER32(?), ref: 00EF58FD

Strings

0, xrefs: 00EF588F

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: aa76eb8c390dd1a86be8e001e2c8da320090dddcc710ef461714562dcae6d8e4
Instruction ID: d463034ccc4a97fd4018f0004a60ef17c8b46ea4a154187085893c086517634a
Opcode Fuzzy Hash: aa76eb8c390dd1a86be8e001e2c8da320090dddcc710ef461714562dcae6d8e4
Instruction Fuzzy Hash: 48015E3250021CEEDB219F11DC44BBEBBB4FF85364F208099EA59E6151EB708A84DF21

Function 00EBD3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 00EBD3BF
FreeLibrary.KERNEL32 ref: 00EBD3E5

Strings

GetSystemWow64DirectoryW, xrefs: 00EBD3B9
X64, xrefs: 00EBD2A8

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 62753dd600b339f3a288fd7be197059f90f89cf1403e5a4a4b9142b463e1b051
Instruction ID: d353490d7aa2f8cbe9ed506b6e43104ec5659737e46c145933fbb2b82ab5b72b
Opcode Fuzzy Hash: 62753dd600b339f3a288fd7be197059f90f89cf1403e5a4a4b9142b463e1b051
Instruction Fuzzy Hash: B0F0553180E66A8BD73112114C249FB3370AF50705B78B578E402F101AFB28CC888292

Function 00EC007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a6b3ed5c8f956fb917b0130e621a8ee4ccaf3892b232e87f9c2d4931ac3ac99
Instruction ID: 9034c68e8b78b92075d845c3edd4fe7a1c861c1ff1e21bea75af1f21afed90c3
Opcode Fuzzy Hash: 3a6b3ed5c8f956fb917b0130e621a8ee4ccaf3892b232e87f9c2d4931ac3ac99
Instruction Fuzzy Hash: C1C13875A0021AEFDB14CF98C994FAEB7B5FF48304F249598E505AB251D732DD42CB90

Function 00EE342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00EE3459
CoUninitialize.OLE32 ref: 00EE3463
VariantInit.OLEAUT32(?), ref: 00EE346E
VariantClear.OLEAUT32(?), ref: 00EE371B

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 39d3182ba8df37cfc6ff4feb5764661702e0ccbd232c813d553b6bd4d59122cd
Instruction ID: e870932ecf0b54f003f9f2dc3e4daa309af5546733091012754c2d8573f94a65
Opcode Fuzzy Hash: 39d3182ba8df37cfc6ff4feb5764661702e0ccbd232c813d553b6bd4d59122cd
Instruction Fuzzy Hash: 05A16A752043059FC700DF29C589A2AB7E5FF88754F14985EF98AAB362DB30EE05CB91

Function 00EC0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00EFFC08,?), ref: 00EC05F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00EFFC08,?), ref: 00EC0608
CLSIDFromProgID.OLE32(?,?,00000000,00EFCC40,000000FF,?,00000000,00000800,00000000,?,00EFFC08,?), ref: 00EC062D
_memcmp.LIBVCRUNTIME ref: 00EC064E

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 5e9d3d79dce81bd8d9d72557f1af9e28e48404d3596edd9a16b8a08109846d66
Instruction ID: 984f79549d55c471e4ba13af5a69166f3363eec0c9abe60f909b5bd13e475db5
Opcode Fuzzy Hash: 5e9d3d79dce81bd8d9d72557f1af9e28e48404d3596edd9a16b8a08109846d66
Instruction Fuzzy Hash: DF81E975A00109EFCB04DF94CA84EEEB7B9FF89315F205558E516BB250DB72AE06CB60

Function 00EEA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00EEA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 00EEA6BA

Part of subcall function 00E69CB3: _wcslen.LIBCMT ref: 00E69CBD

Process32NextW.KERNEL32(00000000,?), ref: 00EEA79C
CloseHandle.KERNEL32(00000000), ref: 00EEA7AB

Part of subcall function 00E7CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00EA3303,?), ref: 00E7CE8A

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 7379924c27b16162c05cf9b8cc49829d2fc7c1ab126c41484a63180321b3e561
Instruction ID: 023f47497b9bf3f3163aaed6671447be8757f36d81df8b2dd6850412915324ca
Opcode Fuzzy Hash: 7379924c27b16162c05cf9b8cc49829d2fc7c1ab126c41484a63180321b3e561
Instruction Fuzzy Hash: EB517E715083009FD314DF25D886A6BBBE8FF89754F14992DF589A7292EB30E904CB92

Function 00EA1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00EA14C0

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: df7384f6a1d6196ea69ebdee8f8540d0659475157329db2322134f5324725f73
Instruction ID: c19322788d1a4bb5fb398256053f6b5de504c53976b963b440e08b7ac38745f8
Opcode Fuzzy Hash: df7384f6a1d6196ea69ebdee8f8540d0659475157329db2322134f5324725f73
Instruction Fuzzy Hash: 13413B31A00114ABDF267BBD8C45ABE3AE5EF4F374F2422A5F43CFA192E634584153A1

Function 00EF6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00EF62E2
ScreenToClient.USER32(?,?), ref: 00EF6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00EF6382

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: c2b3b3649b83b472ede1b4167a530b24b7cfcfa0fd28ca90d2505533a282e163
Instruction ID: 1ba1c5b40bcdf7467268c8de6622889bec7ed9bd73201a40f2d2d4fb55531fd2
Opcode Fuzzy Hash: c2b3b3649b83b472ede1b4167a530b24b7cfcfa0fd28ca90d2505533a282e163
Instruction Fuzzy Hash: 71513974A01209EFDB10DF68D880ABE7BB6FB95364F209169F915AB2A0D730ED41CB50

Function 00EE1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00EE1AFD
WSAGetLastError.WSOCK32 ref: 00EE1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00EE1B8A
WSAGetLastError.WSOCK32 ref: 00EE1B94

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 8711677a1bf47da66079d246ed0100fb0dbe83ba8b63d6ea63c9ef688be81c43
Instruction ID: 0e50b22168626ddf60f6d0af9efb96e59642e8e66c3484fc44717625092377ac
Opcode Fuzzy Hash: 8711677a1bf47da66079d246ed0100fb0dbe83ba8b63d6ea63c9ef688be81c43
Instruction Fuzzy Hash: 4341D334640200AFE720AF25D886F2677E5AB44718F54D488F95AAF3D2E772ED81CB90

Function 00E9B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7078422d4c9c25d277e49cc5a796b50f0ed3348e16519fd625039448963760e
Instruction ID: b2f69c7aa8477e125e8358909947977c7ec1053de9405b4a928affee86bd6011
Opcode Fuzzy Hash: f7078422d4c9c25d277e49cc5a796b50f0ed3348e16519fd625039448963760e
Instruction Fuzzy Hash: 1C414075A00304BFDB24AF78DD41B9A7BE9EF88710F10552EF115FB291E37199019780

Function 00ED56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00ED5783
GetLastError.KERNEL32(?,00000000), ref: 00ED57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00ED57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00ED57FA

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 7895fa0debe966d849e3caaeff4f55aa3e93d47e5c44ad0986990195e0359174
Instruction ID: 8338e4144c751cf2a75e46dc41fcc9388acfc899db273b22bc62a8b477aed3f3
Opcode Fuzzy Hash: 7895fa0debe966d849e3caaeff4f55aa3e93d47e5c44ad0986990195e0359174
Instruction Fuzzy Hash: BD414E39600A10DFCB11DF15D544A5EBBF2EF89364B299499E84ABB362CB30FD41CB91

Function 00E9D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00E882D9,?,00E882D9,?,00000001,?,?,00000001,00E882D9,00E882D9), ref: 00E9D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00E9D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00E9D9AB
__freea.LIBCMT ref: 00E9D9B4

Part of subcall function 00E93820: RtlAllocateHeap.NTDLL(00000000,?,00F31444,?,00E7FDF5,?,?,00E6A976,00000010,00F31440,00E613FC,?,00E613C6,?,00E61129), ref: 00E93852

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: edde0db4d1acbbbad365edfbac398cf0f9194b2a3efcdeff33cf68e7196e9414
Instruction ID: bc2c30b748ad7309a5d1c0d107f8adc0acb44fe2195c45861db883e5ec2a88be
Opcode Fuzzy Hash: edde0db4d1acbbbad365edfbac398cf0f9194b2a3efcdeff33cf68e7196e9414
Instruction Fuzzy Hash: BC31EF72A0021AABDF24EFA5DC41EAE7BA5EB80314F150169FC08F7290EB75CD54CB90

Function 00EF52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00EF5352
GetWindowLongW.USER32(?,000000F0), ref: 00EF5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00EF5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00EF53A8

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: aaac3aca062c773bdc04a2063adf699a38e49717d8d3cfa28c6b8acd620d07d8
Instruction ID: 15d291ab4833ee5e0e1b75e23b5fa6ff151c83920e5a6bc4c2f43b743be2eb20
Opcode Fuzzy Hash: aaac3aca062c773bdc04a2063adf699a38e49717d8d3cfa28c6b8acd620d07d8
Instruction Fuzzy Hash: 3131A136A57A0CEFEB209A1CCC05BF877A6AB25394F586111FB10B61E5C7B09940EB42

Function 00ECAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 00ECABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 00ECAC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 00ECAC74
SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 00ECACC6

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: c6c19bba2ee97fa1a498a664eb7553687968bde37fd47f5e6b33d6d459cf2189
Instruction ID: 232264d93960c3380e3a72b21b5cba752499a1bf68b07b199f02fc467cbb25d3
Opcode Fuzzy Hash: c6c19bba2ee97fa1a498a664eb7553687968bde37fd47f5e6b33d6d459cf2189
Instruction Fuzzy Hash: C1311A3094431C6FEB34CB658904FFEB6A56B8531CF1C622EE481B21D1C37689568752

Function 00EF7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00EF769A
GetWindowRect.USER32(?,?), ref: 00EF7710
PtInRect.USER32(?,?,00EF8B89), ref: 00EF7720
MessageBeep.USER32(00000000), ref: 00EF778C

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 1cbc3953f008a34055697cf4993d4161603f869e704709c6ac923d41eb9a8f6e
Instruction ID: 85b986e892a169766d4d18b189de1b41550f2fd41c8c0e128538033d3cd17b06
Opcode Fuzzy Hash: 1cbc3953f008a34055697cf4993d4161603f869e704709c6ac923d41eb9a8f6e
Instruction Fuzzy Hash: 03419E3461921CDFDB01EF59C894EB977F5BB48315F2550AAE694AB2A1C330E941CB90

Function 00EF16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00EF16EB

Part of subcall function 00EC3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00EC3A57
Part of subcall function 00EC3A3D: GetCurrentThreadId.KERNEL32 ref: 00EC3A5E
Part of subcall function 00EC3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00EC25B3), ref: 00EC3A65

GetCaretPos.USER32(?), ref: 00EF16FF
ClientToScreen.USER32(00000000,?), ref: 00EF174C
GetForegroundWindow.USER32 ref: 00EF1752

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 3cf063eb0d1cd477cd9a9ec2ca568b7694ea199ddff8a91e22f9a2fd4aac8866
Instruction ID: 96a2ce4eed4aecc60f4c69195b860209d166926068f351dc3a2d16d2f22daaff
Opcode Fuzzy Hash: 3cf063eb0d1cd477cd9a9ec2ca568b7694ea199ddff8a91e22f9a2fd4aac8866
Instruction Fuzzy Hash: 99315275D00149AFC700EFA5D981CBEBBF9EF48308B6490AAE455F7251D6319E45CBA0

Function 00ECDF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00E67620: _wcslen.LIBCMT ref: 00E67625

_wcslen.LIBCMT ref: 00ECDFCB
_wcslen.LIBCMT ref: 00ECDFE2
_wcslen.LIBCMT ref: 00ECE00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00ECE018

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: 849b3f4abd03d7c947e9696fdb0c455e290682dba39ba8701d90ab134bcd154e
Instruction ID: 60e47b64ac4821d30084826ac93a70232348d49e2866eb64b2822696e2c949e0
Opcode Fuzzy Hash: 849b3f4abd03d7c947e9696fdb0c455e290682dba39ba8701d90ab134bcd154e
Instruction Fuzzy Hash: 5E21A671900215AFCB20EF64DD82B6EB7F8EF85760F145069E809BB381D6719D41CBA1

Function 00EF8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E79BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E79BB2

GetCursorPos.USER32(?), ref: 00EF9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00EB7711,?,?,?,?,?), ref: 00EF9016
GetCursorPos.USER32(?), ref: 00EF905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00EB7711,?,?,?), ref: 00EF9094

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 38a29480140310c553fe3a0722c6eaa91641b4e2ad1c201b44f65196922770db
Instruction ID: a9f446d2ba5d2fdc97bc8891528dcf9e5a1b1ceb5b11c1372fb69298bacfb6ec
Opcode Fuzzy Hash: 38a29480140310c553fe3a0722c6eaa91641b4e2ad1c201b44f65196922770db
Instruction Fuzzy Hash: 4F218D3160001CAFDB258F95C858FFA3BB9EB89360F104065FA456B2A2C7759A90EB60

Function 00ECD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00EFCB68), ref: 00ECD2FB
GetLastError.KERNEL32 ref: 00ECD30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 00ECD319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00EFCB68), ref: 00ECD376

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 1da45d3487e40d2460e8329af32181ba04c2d8784f1724442b097029b64a3c85
Instruction ID: c2dd301c50ed8d562c180fcef43c9b4bf1d142dfa9d28f64f9abb3766183e96e
Opcode Fuzzy Hash: 1da45d3487e40d2460e8329af32181ba04c2d8784f1724442b097029b64a3c85
Instruction Fuzzy Hash: 7B21D8705083059F8300DF28DE819AE77E4EF95364F205A2DF495E72A1D732D90ACB53

Function 00EC1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00EC102A
Part of subcall function 00EC1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00EC1036
Part of subcall function 00EC1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00EC1045
Part of subcall function 00EC1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00EC104C
Part of subcall function 00EC1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00EC1062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00EC15BE
_memcmp.LIBVCRUNTIME ref: 00EC15E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00EC1617
HeapFree.KERNEL32(00000000), ref: 00EC161E

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: b247d43992ed6d0e9d26f0c9b34592212981776298a09ab2489aee79d2da4569
Instruction ID: 165eaef5e740f0723d78fb44ddca7d3c345fba49e10f8f527624418e4bb5a29e
Opcode Fuzzy Hash: b247d43992ed6d0e9d26f0c9b34592212981776298a09ab2489aee79d2da4569
Instruction Fuzzy Hash: A7217C71E00108AFDB00DFA4CA45FEEB7B8EF85344F284499E445B7242D732AA46DB50

Function 00EF2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00EF280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00EF2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00EF2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00EF2840

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: b680f70609599597db6baa995ddea7c7cc18ffe039e3028b11d8bfb7d301abe1
Instruction ID: e8c96e4a0783c8fcedfb066b637a9a87060a4487c310abf81558c343a5456efb
Opcode Fuzzy Hash: b680f70609599597db6baa995ddea7c7cc18ffe039e3028b11d8bfb7d301abe1
Instruction Fuzzy Hash: 9C21F131204559AFD7149B24C844FBA7B99EF85324F24915CF626EB2E2C771FC82C790

Function 00EC78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00EC790A,?,000000FF,?,00EC8754,00000000,?,0000001C,?,?), ref: 00EC8D8C
Part of subcall function 00EC8D7D: lstrcpyW.KERNEL32(00000000,?,?,00EC790A,?,000000FF,?,00EC8754,00000000,?,0000001C,?,?,00000000), ref: 00EC8DB2
Part of subcall function 00EC8D7D: lstrcmpiW.KERNEL32(00000000,?,00EC790A,?,000000FF,?,00EC8754,00000000,?,0000001C,?,?), ref: 00EC8DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00EC8754,00000000,?,0000001C,?,?,00000000), ref: 00EC7923
lstrcpyW.KERNEL32(00000000,?,?,00EC8754,00000000,?,0000001C,?,?,00000000), ref: 00EC7949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00EC8754,00000000,?,0000001C,?,?,00000000), ref: 00EC7984

Strings

cdecl, xrefs: 00EC797B

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 69c81b720ea3cfdc60d725040441a599837501f2c950007fa9920e3a2ee38260
Instruction ID: 24f9efc61a5dc40153d84f39801bdc0447b8449b9db72457ad95effac927a1b3
Opcode Fuzzy Hash: 69c81b720ea3cfdc60d725040441a599837501f2c950007fa9920e3a2ee38260
Instruction Fuzzy Hash: 8B11063A200201AFCB159F35D944E7A77E9FF85354B10502EF986D7264EB329812CB61

Function 00EF7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00EF7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00EF7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00EF7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00EDB7AD,00000000), ref: 00EF7D6B

Part of subcall function 00E79BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E79BB2

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: d81650bcbe5522d0f0d8ce3dcb16e052282bf8b313c8f84a1669266893c3bb35
Instruction ID: 1cd555d7302c823159f701539ad89f84149764a7fbbf360afb9b7719be273740
Opcode Fuzzy Hash: d81650bcbe5522d0f0d8ce3dcb16e052282bf8b313c8f84a1669266893c3bb35
Instruction Fuzzy Hash: FF11D23120561DAFCB108F29CC04AB63BA5BF86374B619324F979EB2F0D7318951DB40

Function 00EF5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 00EF56BB
_wcslen.LIBCMT ref: 00EF56CD
_wcslen.LIBCMT ref: 00EF56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00EF5816

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: b5ddc812aecff91a7101043d1b9df6b14cf464a2eb6e729bef6de6b4748dbc85
Instruction ID: 9fbefe0bd05640276d8534da3fae1439dfcc6105222c598c99b556a6641955d5
Opcode Fuzzy Hash: b5ddc812aecff91a7101043d1b9df6b14cf464a2eb6e729bef6de6b4748dbc85
Instruction Fuzzy Hash: AD11D67260060D96DB209F61CC85AFE77BCEF61764F10902AFB2AF6081E770C984CB61

Function 00E91D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95b992d037019dbb5b367e560eccb34bbaa540cb889a470d0704420b2a10ca27
Instruction ID: 56928664ecb133fb951ea81433ace9127010ad0735299835e1fd150e2d4d7490
Opcode Fuzzy Hash: 95b992d037019dbb5b367e560eccb34bbaa540cb889a470d0704420b2a10ca27
Instruction Fuzzy Hash: E2016DF220A71B7EFE2126796CC1F67666DDF813B9B352369F631B11D2DB608C009160

Function 00EC1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00EC1A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00EC1A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00EC1A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00EC1A8A

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: def05be0b22db8b234876082315033e302d954ff9f27e0e57412b263c5d95faa
Instruction ID: ee403ab5bd6888e1b6efbee2e53354fd246c755b15622496c3f2af8576f87e06
Opcode Fuzzy Hash: def05be0b22db8b234876082315033e302d954ff9f27e0e57412b263c5d95faa
Instruction Fuzzy Hash: 1E11393AD01219FFEB10DBA5CD85FADBB78EB08750F200095EA00B7290D6716E51DB94

Function 00ECE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00ECE1FD
MessageBoxW.USER32(?,?,?,?), ref: 00ECE230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00ECE246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00ECE24D

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: cf08a91690d1cd0d09ee07b4f08ef4f33260483d142ce4dd7fe3a52f72a93519
Instruction ID: 1933f778703494bcb5be8c276e932a9941f6aaff0757dbca04fff4509005722d
Opcode Fuzzy Hash: cf08a91690d1cd0d09ee07b4f08ef4f33260483d142ce4dd7fe3a52f72a93519
Instruction Fuzzy Hash: 3911087290521CBFC7059BA89D05FAE7FADAB85324F204259F824F3391D271CD0487A0

Function 00E8D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00E8CFF9,00000000,00000004,00000000), ref: 00E8D218
GetLastError.KERNEL32 ref: 00E8D224
__dosmaperr.LIBCMT ref: 00E8D22B
ResumeThread.KERNEL32(00000000), ref: 00E8D249

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: f316738cf2351f0404bf58e0ac77a9cffad0380c9dc05a7ca54d35ee964cd4cc
Instruction ID: 1a118a67076742c7a9304b33d26478d4f984ba0358f52d9a4a048355865b9eb2
Opcode Fuzzy Hash: f316738cf2351f0404bf58e0ac77a9cffad0380c9dc05a7ca54d35ee964cd4cc
Instruction Fuzzy Hash: 9F01D636409208BFDB117BA5DC09BAE7BA9EF81730F201259F92DB21F0CB708905C7A0

Function 00EF9EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00E79BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E79BB2

GetClientRect.USER32(?,?), ref: 00EF9F31
GetCursorPos.USER32(?), ref: 00EF9F3B
ScreenToClient.USER32(?,?), ref: 00EF9F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00EF9F7A

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 8c2534c0415d4fa1829ad2f9b0ff6e699710c7972d6ac4307a652e41ccba40d1
Instruction ID: d2f1391bc1cc6bcccddd7f328846caa9c863d2d2c239cc15be7610c8c9561079
Opcode Fuzzy Hash: 8c2534c0415d4fa1829ad2f9b0ff6e699710c7972d6ac4307a652e41ccba40d1
Instruction Fuzzy Hash: 6F112532A0011EABDB10DF69C849AFE77B9FB45311F204451FA51F7142D730AA85CBA1

Function 00E6600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00E6604C
GetStockObject.GDI32(00000011), ref: 00E66060
SendMessageW.USER32(00000000,00000030,00000000), ref: 00E6606A

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 130041926f5b3f37cff945bbca058dbeffde79f02d293e82a75fe09c7d3ce606
Instruction ID: e89556b58fd36df9afb37d1b332a828ef2245dc6ecce0906ba838312559e35e7
Opcode Fuzzy Hash: 130041926f5b3f37cff945bbca058dbeffde79f02d293e82a75fe09c7d3ce606
Instruction Fuzzy Hash: D7118E72101508BFEF625FA49C44AEABF69EF483A4F101116FA0466050D772DC60DB90

Function 00E83B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00E83B56

Part of subcall function 00E83AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00E83AD2
Part of subcall function 00E83AA3: ___AdjustPointer.LIBCMT ref: 00E83AED

_UnwindNestedFrames.LIBCMT ref: 00E83B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00E83B7C
CallCatchBlock.LIBVCRUNTIME ref: 00E83BA4

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 7ae86b8f66f9b4d4c218ffe7e59f868d7b54156177a2b3104daa18e17e7ea620
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: CF0129B2100149BBDF126EA5CC42EEB7FA9EF48B58F045014FE4C66121D732E961EBA0

Function 00E93073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00E613C6,00000000,00000000,?,00E9301A,00E613C6,00000000,00000000,00000000,?,00E9328B,00000006,FlsSetValue), ref: 00E930A5
GetLastError.KERNEL32(?,00E9301A,00E613C6,00000000,00000000,00000000,?,00E9328B,00000006,FlsSetValue,00F02290,FlsSetValue,00000000,00000364,?,00E92E46), ref: 00E930B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00E9301A,00E613C6,00000000,00000000,00000000,?,00E9328B,00000006,FlsSetValue,00F02290,FlsSetValue,00000000), ref: 00E930BF

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: f3845d7a78cfb7c8171685455f5d2f2a355ce16b545fff3d7dc4789144577487
Instruction ID: 5905f76ad6173c06a50fbdda4835b69a7ffe38466d931b5562eaf952a543f933
Opcode Fuzzy Hash: f3845d7a78cfb7c8171685455f5d2f2a355ce16b545fff3d7dc4789144577487
Instruction Fuzzy Hash: 9A01F232302726ABDF314B79AC44AAB7B99EF45BA5B314620F916F3150DB21DD09C6E0

Function 00EC7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00EC747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00EC7497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00EC74AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00EC74CA

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 5388b656015e84b692b1f62c17c091af270c77d97ed49d9a972de5f8b0aa398d
Instruction ID: 8f78469130953977ea9900a6929e8b94e9080b0bdd398da1c081adfb8b114aee
Opcode Fuzzy Hash: 5388b656015e84b692b1f62c17c091af270c77d97ed49d9a972de5f8b0aa398d
Instruction Fuzzy Hash: 57117CB12053149FE7248F14DE09FA2BBB8FB40B04F20856DA6B6E6151D771E909DF50

Function 00ECB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00ECACD3,?,00008000), ref: 00ECB0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00ECACD3,?,00008000), ref: 00ECB0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00ECACD3,?,00008000), ref: 00ECB0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00ECACD3,?,00008000), ref: 00ECB126

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: fe46abf3e55da658b5fccea143b4e18980a2f57b3a1def19fc3bdf9a31ff6eb3
Instruction ID: 98141121cf50c4028a809f5c71d8ca38f8e182c8dc1d787194fe6f66c7f3a402
Opcode Fuzzy Hash: fe46abf3e55da658b5fccea143b4e18980a2f57b3a1def19fc3bdf9a31ff6eb3
Instruction Fuzzy Hash: C9112A31C0251CEBCF049FA5DA5ABEEBB78FF49711F205089D941B2181CB315552CB52

Function 00EF7E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00EF7E33
ScreenToClient.USER32(?,?), ref: 00EF7E4B
ScreenToClient.USER32(?,?), ref: 00EF7E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00EF7E8A

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 97f2378979fd75269a60841b4749b9d7f893771a231bdad25fc90b597cf2a1e2
Instruction ID: 973ec7d558bd7d6a1d3b9cb5f95736b590c6556552e23bf803a40f99e411d9ae
Opcode Fuzzy Hash: 97f2378979fd75269a60841b4749b9d7f893771a231bdad25fc90b597cf2a1e2
Instruction Fuzzy Hash: 821143B9D0420EAFDB41DFA9C9849EEBBF5FB48310F505066E915E2210D735AA54CF50

Function 00EC2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00EC2DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00EC2DD6
GetCurrentThreadId.KERNEL32 ref: 00EC2DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00EC2DE4

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 1d4459fe1154616ea893395003d9d9a5cec17f220092eba942bbabab168ceb76
Instruction ID: f7f28e72d71f3113a223d21d2b6911e351a18e8a461193fa78a921b54334a41f
Opcode Fuzzy Hash: 1d4459fe1154616ea893395003d9d9a5cec17f220092eba942bbabab168ceb76
Instruction Fuzzy Hash: 2FE06D711052287BD7201B639E0DFFB3E6CEF92FA1F61101DB206F10809AA18985C6B0

Function 00EF8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00E79639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00E79693
Part of subcall function 00E79639: SelectObject.GDI32(?,00000000), ref: 00E796A2
Part of subcall function 00E79639: BeginPath.GDI32(?), ref: 00E796B9
Part of subcall function 00E79639: SelectObject.GDI32(?,00000000), ref: 00E796E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00EF8887
LineTo.GDI32(?,?,?), ref: 00EF8894
EndPath.GDI32(?), ref: 00EF88A4
StrokePath.GDI32(?), ref: 00EF88B2

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: d17b62a5f251a68c38a9f4c6e0f0fac8f743f409d6928eb8804123875a42330b
Instruction ID: 93d3a766fd58ae21300e2eb041ae76b697ada62aa03bc91f46ca6781f867ca5e
Opcode Fuzzy Hash: d17b62a5f251a68c38a9f4c6e0f0fac8f743f409d6928eb8804123875a42330b
Instruction Fuzzy Hash: 58F09A3600225CBADB125F95AD09FEA3E69AF46324F608000FA01710E2CB740525DBE5

Function 00E798B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00E798CC
SetTextColor.GDI32(?,?), ref: 00E798D6
SetBkMode.GDI32(?,00000001), ref: 00E798E9
GetStockObject.GDI32(00000005), ref: 00E798F1

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 4d9fbd0125f266b6af22f389ad49b180ae5c153219a8d160bea6a099991e8f46
Instruction ID: e40e8542bc5f7eb6b6d0bb34cef268b69de7b704055e0374f85aaef92438db8a
Opcode Fuzzy Hash: 4d9fbd0125f266b6af22f389ad49b180ae5c153219a8d160bea6a099991e8f46
Instruction Fuzzy Hash: D1E06531245244AEDB215B75BD09BF93F21EB91336F348219F6F9680E1C3714654DB10

Function 00EC162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00EC1634
OpenThreadToken.ADVAPI32(00000000,?,?,?,00EC11D9), ref: 00EC163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00EC11D9), ref: 00EC1648
OpenProcessToken.ADVAPI32(00000000,?,?,?,00EC11D9), ref: 00EC164F

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 87d51e64d14c0110367ca8a009999324d3fdb72e6c3db4f16de5261bb1cb2745
Instruction ID: 18d6354980e346dc7ca2756f833eae65a0ea6dae41ca631633a2f9e9293ec7b1
Opcode Fuzzy Hash: 87d51e64d14c0110367ca8a009999324d3fdb72e6c3db4f16de5261bb1cb2745
Instruction Fuzzy Hash: D4E08632602215DFD7201FB29F0DF663B7CEF85795F344848F245E9090EA35444AC750

Function 00EBD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00EBD858
GetDC.USER32(00000000), ref: 00EBD862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00EBD882
ReleaseDC.USER32(?), ref: 00EBD8A3

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 926f3a78b261c1571143871e3d86af4c68b66e87fbf866b36850ba9f93d6c140
Instruction ID: 9f687f295aa8e860b572a047957c1d34557fdf464ecab1b3bc73ea5c6af0fdc3
Opcode Fuzzy Hash: 926f3a78b261c1571143871e3d86af4c68b66e87fbf866b36850ba9f93d6c140
Instruction Fuzzy Hash: 44E0ED70904208DFCB419FA1990867DBBB1AB48711B359405E846F7350CB344506DF40

Function 00EBD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00EBD86C
GetDC.USER32(00000000), ref: 00EBD876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00EBD882
ReleaseDC.USER32(?), ref: 00EBD8A3

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 0fc22298b96b82ce398078684c89add597d262d9f522ad7703658f25ef430b1c
Instruction ID: f33eaa02f141e09ef910c3cbe107a49a60cfca34926d17a0170002cbd1fae124
Opcode Fuzzy Hash: 0fc22298b96b82ce398078684c89add597d262d9f522ad7703658f25ef430b1c
Instruction Fuzzy Hash: 7BE01A70904208DFCB409FA1D90867DBBF1BB48710B359408E84AF7350CB38590ADF40

Function 00ED4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00E67620: _wcslen.LIBCMT ref: 00E67625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00ED4ED4

Strings

LPT, xrefs: 00ED4DFB
*, xrefs: 00ED4E10

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: cbd1036e5f697dab23ab28b0e5d676c79517fb4aa24b37034f73a0f1a8aa0c8a
Instruction ID: 6b21725fb5aaaa7f5d9c7f895244a38e96db1e6bb93e33fe165cc80b16234f8d
Opcode Fuzzy Hash: cbd1036e5f697dab23ab28b0e5d676c79517fb4aa24b37034f73a0f1a8aa0c8a
Instruction Fuzzy Hash: EB9176B5A002449FCB14DF54C484EA9BBF5FF54308F14A09AE84AAF3A2D731ED46CB51

Function 00E7E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 00E7E1B1

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 4eddde027e735cd8403489c014450723b62a1f24db785753c9468d30892b2672
Instruction ID: b7c3a4ed198095a2055c406f65cab71f65044d282482435e5774be3be25f96f1
Opcode Fuzzy Hash: 4eddde027e735cd8403489c014450723b62a1f24db785753c9468d30892b2672
Instruction Fuzzy Hash: 16514635504296EFDB19DF68C0416FA7BA8EF19314F24A096E891BB3E1DA309D42DB90

Function 00E7F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00E7F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 00E7F2BB

Strings

@, xrefs: 00E7F2AF

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 2b039d1505a0bff3146ed4d3169ab0eee25c37000ac11e1f3d415979eed3c627
Instruction ID: 4aa50218cb42df343aa6d151583e81f840340f7e48f407b578d91875e733798e
Opcode Fuzzy Hash: 2b039d1505a0bff3146ed4d3169ab0eee25c37000ac11e1f3d415979eed3c627
Instruction Fuzzy Hash: 3051777141C7499BD320AF50E886BABBBF8FB84344F91884CF1D9510A5EB718529CB66

Function 00EE5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00EE57E0
_wcslen.LIBCMT ref: 00EE57EC

Strings

CALLARGARRAY, xrefs: 00EE57E6, 00EE57EB

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: b8b47cecd9133b8c9380ee00b408dc9e24f3360c95b5fffdfaf7d9fe98b40718
Instruction ID: 5085cbee03702cbb2b319b70913cac9c0ea68a2286beb5188663b6a92a9af93e
Opcode Fuzzy Hash: b8b47cecd9133b8c9380ee00b408dc9e24f3360c95b5fffdfaf7d9fe98b40718
Instruction Fuzzy Hash: 4241C232A001099FCB08DFA9C8829BEBBF5FF59328F10602DE505B7251E7309D81CB50

Function 00EDD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00EDD130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00EDD13A

Strings

|, xrefs: 00EDD10B

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: b2feed8ed6e184aa9e0696431e66c919d4f5cbfcea83b574c77950501f2a6f0e
Instruction ID: 45c731082d55ac9d15e122059eacad202f2b7e1f82c5ff5cced49d2c66064c43
Opcode Fuzzy Hash: b2feed8ed6e184aa9e0696431e66c919d4f5cbfcea83b574c77950501f2a6f0e
Instruction Fuzzy Hash: 44313E71D01119ABCF15EFA4DC85AEE7FB9FF04344F101119F819B6261E731AA06DB90

Function 00EF356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00EF3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00EF365C

Strings

static, xrefs: 00EF35BC

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 7cd82b5f2a9f2c10f2606407767a3c46ce9a15d47b8c3031c30052984efcf367
Instruction ID: 8f15a57bc2a3e6087cd29c6fe39b53f4a3d02eacdcbd89fed4b54e30b0a9a133
Opcode Fuzzy Hash: 7cd82b5f2a9f2c10f2606407767a3c46ce9a15d47b8c3031c30052984efcf367
Instruction Fuzzy Hash: 49318E71110208AEDB20DF78DC40ABB73A9FF88764F11A619F9A5E7290DA30ED81D760

Function 00EF4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00EF461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00EF4634

Strings

', xrefs: 00EF458E

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: e09f63194cfe0faf95de0dd3838610d49409d11c57a4b28280c76e00960587e2
Instruction ID: d11408ebaabbc465db7aba58d2c2ef8825cbe7b944a71251d8c44139bf047919
Opcode Fuzzy Hash: e09f63194cfe0faf95de0dd3838610d49409d11c57a4b28280c76e00960587e2
Instruction Fuzzy Hash: 043138B5A0120D9FDB14DFA9C980BEA7BB5FF49304F15506AEA04EB391E770A941CF90

Function 00EF31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00EF327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00EF3287

Strings

Combobox, xrefs: 00EF3249

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 0ce39ff817cf60d24e248c68ba112061ce35eac148f1546449b1f5e50ca1fe08
Instruction ID: 1c5139acb789b632778abc764d0e14a361e71c8bcd99b9fddf1c2b3c162f18f3
Opcode Fuzzy Hash: 0ce39ff817cf60d24e248c68ba112061ce35eac148f1546449b1f5e50ca1fe08
Instruction Fuzzy Hash: C511B27130020C7FFF259EA4DC80EBB37ABEB943A8F205525FA18A72A0D631DD519760

Function 00EF3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00E6600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00E6604C
Part of subcall function 00E6600E: GetStockObject.GDI32(00000011), ref: 00E66060
Part of subcall function 00E6600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00E6606A

GetWindowRect.USER32(00000000,?), ref: 00EF377A
GetSysColor.USER32(00000012), ref: 00EF3794

Strings

static, xrefs: 00EF3757

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 5f63d5b9b0e83078a4dd181119e6f328c6da409fee4066f1a148fa48d3f846f4
Instruction ID: c6a195a8d9aca6bb7a3dc127e14002c2d79495a170de7cf6034dbb0a14f0ef45
Opcode Fuzzy Hash: 5f63d5b9b0e83078a4dd181119e6f328c6da409fee4066f1a148fa48d3f846f4
Instruction Fuzzy Hash: DB1147B261020DAFDB00EFB8CC45AFA7BB9EB08314F105925FA55E2250E734E810DB50

Function 00EDCD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00EDCD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00EDCDA6

Strings

<local>, xrefs: 00EDCD66

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 1d0ec27b6d4d35e9592e6a48df19e9145927eb787d71a562dbad2f82b0dae9f5
Instruction ID: 453dd7ec1faebe2069865ab0d84efb3ab306af533224bd22b9ded519fd4c090f
Opcode Fuzzy Hash: 1d0ec27b6d4d35e9592e6a48df19e9145927eb787d71a562dbad2f82b0dae9f5
Instruction Fuzzy Hash: AC11A3712056367ED7284A668C45EF7BE6AEF527E8F205227B109A3280D6709846D6F0

Function 00EF3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00EF34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00EF34BA

Strings

edit, xrefs: 00EF348F

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: a4ee1d4c8636ca2e2f9f368000ffafb0fc5b10fb7d0d1721cf881ed7c73cc29a
Instruction ID: 9a1767c435b1e6c8f9381c82731f272ddf34ca17aac8b2198941ba9b2ee7aa64
Opcode Fuzzy Hash: a4ee1d4c8636ca2e2f9f368000ffafb0fc5b10fb7d0d1721cf881ed7c73cc29a
Instruction Fuzzy Hash: 76116D7110020CAEEB218E74DC44AFA37AAEB45778F606724FA71A31D0C771DC519B60

Function 00EC6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00E69CB3: _wcslen.LIBCMT ref: 00E69CBD

CharUpperBuffW.USER32(?,?,?), ref: 00EC6CB6
_wcslen.LIBCMT ref: 00EC6CC2

Strings

STOP, xrefs: 00EC6CBC, 00EC6CC1

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 4c886c675ecd49685b588706942f3e5dee338da04ce9222d328fda14fedc3d1e
Instruction ID: 60582c35400b001204d237ab5a6b927f040ca487d4a991860ac57a18327d5f1b
Opcode Fuzzy Hash: 4c886c675ecd49685b588706942f3e5dee338da04ce9222d328fda14fedc3d1e
Instruction Fuzzy Hash: F601C8326005278BCB20AFBDDE80EBF77F5EB61754710192CE462B7195EA32D941C650

Function 00EC1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E69CB3: _wcslen.LIBCMT ref: 00E69CBD

Part of subcall function 00EC3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00EC3CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00EC1D4C

Strings

ComboBox, xrefs: 00EC1CEB
ListBox, xrefs: 00EC1D16

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 1f7395703b4154546ffe1b0af1e82fb603f3bca7a7a741d4694a0c7deeeeec17
Instruction ID: 68a69fd382bb3088b557367f25a1e1f6517706412c33c45404e7bef005e9cbd4
Opcode Fuzzy Hash: 1f7395703b4154546ffe1b0af1e82fb603f3bca7a7a741d4694a0c7deeeeec17
Instruction Fuzzy Hash: 63012D716401146BCB08EBA0DE11DFE77A8EB53390B10190DF823772C2EA31991DD661

Function 00EC1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E69CB3: _wcslen.LIBCMT ref: 00E69CBD

Part of subcall function 00EC3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00EC3CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00EC1C46

Strings

ComboBox, xrefs: 00EC1BE5
ListBox, xrefs: 00EC1C10

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 99612bab837aa8ac9d17d9341680d38b8509a346ba691b4a7aa579153a577886
Instruction ID: 46f254f4d269d76f0282dab2789c3f89ea740bbff60df24026901d6f1e98f285
Opcode Fuzzy Hash: 99612bab837aa8ac9d17d9341680d38b8509a346ba691b4a7aa579153a577886
Instruction Fuzzy Hash: A501887568110467CB08E7A0DB51FFFB7EC9B52780F14105DB40677283EA359A1DE672

Function 00EC1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E69CB3: _wcslen.LIBCMT ref: 00E69CBD

Part of subcall function 00EC3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00EC3CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00EC1CC8

Strings

ComboBox, xrefs: 00EC1C69
ListBox, xrefs: 00EC1C94

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: cbe51e55f77727ee382b73e4e23dfdf93af37b4cf0b7bfe29edbbed514ff385b
Instruction ID: ce8776ae50046f7ca2dae322f17e2e61fbc834590dcde0a3ca9e507b085e2048
Opcode Fuzzy Hash: cbe51e55f77727ee382b73e4e23dfdf93af37b4cf0b7bfe29edbbed514ff385b
Instruction Fuzzy Hash: A901A77168011867CB08E7A0DB11FFEB3EC9B12780F242019B80173283EA369F1AD672

Function 00EC1D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E69CB3: _wcslen.LIBCMT ref: 00E69CBD

Part of subcall function 00EC3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00EC3CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00EC1DD3

Strings

ComboBox, xrefs: 00EC1D75
ListBox, xrefs: 00EC1DA0

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: c3e281c329159c50047a5806c60e229f95893cc85c13c36bd48abec7ddbeb9ed
Instruction ID: f8601b9c9676d67fdb609aa2c80a2d7a82eb4994bb52fb4d5824666e2465d4eb
Opcode Fuzzy Hash: c3e281c329159c50047a5806c60e229f95893cc85c13c36bd48abec7ddbeb9ed
Instruction Fuzzy Hash: 70F0F971A4021467C704F7A4DE51FFEB7ACAB02790F141919B422732C3DA71991D8271

Function 00EE747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00EE7493
_wcslen.LIBCMT ref: 00EE74B9

Strings

3, 3, 16, 1, xrefs: 00EE7483

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: b1489c2e7390d7975fd3b016dcd48b2e892eec923d87a438afa90ca4dd976d14
Instruction ID: fff57d82c5a48ef1bcab021d8c5cae2741583c27254abbf4e3337451a71458b8
Opcode Fuzzy Hash: b1489c2e7390d7975fd3b016dcd48b2e892eec923d87a438afa90ca4dd976d14
Instruction Fuzzy Hash: 37E02B42205362109331327BACC197F5AC9CFC9750710382BF9DDF22E6EA94CD9193A1

Function 00EC0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00EC0B23

Strings

AutoIt, xrefs: 00EC0B17
Error allocating memory., xrefs: 00EC0B1C

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: f4ed44c7e7625ff0af577ce8ec913b6fd6c294d53792bf4580a360b8919388d9
Instruction ID: 433498443dc57f445583d4c0372d79334014cafce7216932cd78b5900b997839
Opcode Fuzzy Hash: f4ed44c7e7625ff0af577ce8ec913b6fd6c294d53792bf4580a360b8919388d9
Instruction Fuzzy Hash: 8CE0D83128431C2AD21036957D03F997AC4CF05F60F30542BF75CB54C38AE2649087E9

Function 00E80D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00E7F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00E80D71,?,?,?,00E6100A), ref: 00E7F7CE

IsDebuggerPresent.KERNEL32(?,?,?,00E6100A), ref: 00E80D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00E6100A), ref: 00E80D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00E80D7F

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: b609f9239e3c20e20ccb513182ed5a6f3d576f1ccd60a581a9f2dc429ba2fbfb
Instruction ID: e68328a383d090033efc70fd351b1dd060854c515e535712f059fcac0a0d85b1
Opcode Fuzzy Hash: b609f9239e3c20e20ccb513182ed5a6f3d576f1ccd60a581a9f2dc429ba2fbfb
Instruction Fuzzy Hash: 90E06D702007118FE3A0AFB9E5043527BE4AF40754F10992DE48EE66A1DBB0E448CB91

Function 00ED3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00ED302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00ED3044

Strings

aut, xrefs: 00ED3038

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: c4912a55b55b5952b94e5ecab6115a060ff772058f46286b0bbb90af3ef082ce
Instruction ID: a9ec6038ae60b77e78e4963c78355a2357255921f0d738319cf12c50770f1c86
Opcode Fuzzy Hash: c4912a55b55b5952b94e5ecab6115a060ff772058f46286b0bbb90af3ef082ce
Instruction Fuzzy Hash: 8DD05B71500328ABDA209795AD0DFD73A6CD744750F1001517655E20A1DAB4D548CAD0

Function 00EBD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00EBD220

Strings

%.3d, xrefs: 00EBD22B
X64, xrefs: 00EBD2A8

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 84bfe9d92bfe89372cb14b194af0cabfd3f0ad0b06f5a7774b916e410f7c34e2
Instruction ID: 738b074474c6c66fb57f9ecac541c6bec4f6089ea6a85407b0b556cc54b86092
Opcode Fuzzy Hash: 84bfe9d92bfe89372cb14b194af0cabfd3f0ad0b06f5a7774b916e410f7c34e2
Instruction Fuzzy Hash: 72D01271C0D158E9CB5096D0DC458FBB3BCEB48301F60A462F90AB1060F624C908AB61

Function 00EF2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00EF236C
PostMessageW.USER32(00000000), ref: 00EF2373

Part of subcall function 00ECE97B: Sleep.KERNEL32 ref: 00ECE9F3

Strings

Shell_TrayWnd, xrefs: 00EF2365

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 65d9589d0e18342e70bfa2f8faeb5cf5ea67cc5131dcb1af1e59042199ef2067
Instruction ID: 20dfa903c509f8f041db51c1c829566853baa92b9443e5fa380ce4f3f57ac645
Opcode Fuzzy Hash: 65d9589d0e18342e70bfa2f8faeb5cf5ea67cc5131dcb1af1e59042199ef2067
Instruction Fuzzy Hash: D8D0A9323803107AE264A331AD0FFC666149B80B00F2009167201FA1D0C8B0A805CA05

Function 00EF2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00EF232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00EF233F

Part of subcall function 00ECE97B: Sleep.KERNEL32 ref: 00ECE9F3

Strings

Shell_TrayWnd, xrefs: 00EF2325

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 92e8dff85e1a78924278bc6dbe77d923f1c83d2b9af1ec3c893bc37e26470a92
Instruction ID: 4babdb658e45ae115ea9a7fc0ac4bc19ee8047d130ca5af95f474d7d84535741
Opcode Fuzzy Hash: 92e8dff85e1a78924278bc6dbe77d923f1c83d2b9af1ec3c893bc37e26470a92
Instruction Fuzzy Hash: 30D02232384310BBE264B331ED0FFD67A149B80B00F2009167305FA1D0C8F0A805CA00

Function 00E9BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00E9BE93
GetLastError.KERNEL32 ref: 00E9BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00E9BEFC

Memory Dump Source

Source File: 00000000.00000002.2233078011.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2232773582.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233307408.0000000000F22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233419234.0000000000F2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2233603446.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: f63307a895b039d90631045b57bae02a262c41af14b4f05ad9f55c9924cf188f
Instruction ID: 3ca102dbad09f69ad41849d1107957297942cd0c0e6d365429192c96eb4c8d25
Opcode Fuzzy Hash: f63307a895b039d90631045b57bae02a262c41af14b4f05ad9f55c9924cf188f
Instruction Fuzzy Hash: F341D43470020AAFCF219F65EE44ABE7BA9EF41714F246169F959B71A1DB308D01CB50

Analysis Process: firefox.exePID: 7880, Parent PID: 8044COMMON

Execution Graph

Execution Coverage:	0.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	100%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00000232A60C21F2 Relevance: 26.1, APIs: 1, Strings: 10, Instructions: 6826nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 00000232A60C2257

Strings

#, xrefs: 00000232A60C2282
>, xrefs: 00000232A60C62FF
4, xrefs: 00000232A60C62D9
>, xrefs: 00000232A60C22B9
z, xrefs: 00000232A60C3836
z, xrefs: 00000232A60C228B
#, xrefs: 00000232A60C3331
>, xrefs: 00000232A60C305C
#, xrefs: 00000232A60C05C5
A, xrefs: 00000232A60C224F

Memory Dump Source

Source File: 00000013.00000002.3428050894.00000232A60C0000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000232A60C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_232a60c0000_firefox.jbxd

Similarity

API ID: InformationQuerySystem
String ID: #$#$#$4$>$>$>$A$z$z
API String ID: 3562636166-3072146587
Opcode ID: a7beeb6ed6d4bd1c13836e24e4a4bf8602c8d7752103ee20adf8d6ea9f6b849f
Instruction ID: c3ac44854b9ba601388992f599bf1cb506a94446ed4356cf0e4955152ee0cfe6
Opcode Fuzzy Hash: a7beeb6ed6d4bd1c13836e24e4a4bf8602c8d7752103ee20adf8d6ea9f6b849f
Instruction Fuzzy Hash: 66A3F731618A488BDB2EDF18DC856A973E6FB94701F14422EDD4BC7251DF34EA4A8BC1

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 151.101.65.91 151.101.65.91
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 00000010.00000003.2372472723.000001BDB8133000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2310438499.000001BDB8DC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000003.2396778428.000001BDC1E47000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000003.2379816677.000001BDBC27E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000003.2379816677.000001BDBC27E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000003.2416133796.000001BDB91ED000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2396778428.000001BDC1E47000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2416133796.000001BDB91D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000003.2388861705.000001BDC08B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2242758712.000001BDC08B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000003.2388861705.000001BDC08B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2242758712.000001BDC08B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000003.2379816677.000001BDBC27E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2242853321.000001BDC0894000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000003.2379816677.000001BDBC27E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2242853321.000001BDC0894000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001A.00000002.3423563418.000001C13A30C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001A.00000002.3423563418.000001C13A30C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001A.00000002.3423563418.000001C13A30C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000013.00000002.3423435520.00000232A5A03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3423563418.000001C13A30C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000013.00000002.3423435520.00000232A5A03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3423563418.000001C13A30C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000013.00000002.3423435520.00000232A5A03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3423563418.000001C13A30C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000003.2396581943.000001BDC1EB8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2416133796.000001BDB91ED000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2396778428.000001BDC1E47000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000003.2396581943.000001BDC1EB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000003.2416133796.000001BDB91BD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2416133796.000001BDB91D1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.2403440442.000001BDBA088000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.6:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.6:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49779 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49801 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49802 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49827 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.6:49828 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.65.91:443 -> 192.168.2.6:49830 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.6:49838 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49841 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49839 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49840 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.6:49842 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49913 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49911 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49910 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49909 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49908 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49912 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49917 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49918 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 49842 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49912 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49895
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49911 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49909 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49918 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49908 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49918
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49917
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49913
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49912
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49911
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49910
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49994
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49994 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49843 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49917 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49910 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49895 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49913 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49909
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49908
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_3921d251-4c84-4cb1-8ed6-1478a7460f31.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_3921d251-4c84-4cb1-8ed6-1478a7460f31.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre